Feature Request for Unbound: Orientation

Ed_0x1b_Inc · September 15, 2011, 2:53am

I have a feature request for Unbound: Orientation

Could Unbound use the same DNSSEC methods that confirm the root name
servers to also confirm that an authoritative server on the local
network segment is affirmatively authoritative, private or fqdn? What
this tells me is that my system knows for certain that it is in a
particular network and domain. If so, it can change the firewall rules
and run services as well as scripts for synchronization, etc... These
are all things I would only want to do if I were on my own network. Or
maybe I would want to do them differently depending on my system's
network/domain orientation. This is a question more and more systems
will face, and I think Unbound can be the best way to know where one
is in these networks.

As a bonus, if Unbound could communicate the system's orientation by
way of D-bus it would be even more useful. [re: systemd?]

I understand that eventually unbound may want to be able to deal with
subnets or non-local authoritative name servers, but first I hope to
hear if this feature request does what I think it does. or is this
done by something else already?

So, is this something Unbound might want to do? is it useful?

Thanks - Ed

PaulWouters · September 15, 2011, 7:34pm

I think it would be more the other way around (as Wouter has been
experimenting with using dnssec-trigger). NetworkManager/DBus determines
your network, and reconfigured unbound appropriately.

Perhaps you can do something with unbound-anchor for your private keys,
but in the end, anyone that can replay dnssec data can "pretend" to be
your secure network, so DNS is not a good meassurement.

Paul

Kevin_Chadwick · September 16, 2011, 10:22am

Youc ould use authpf on OpenBSD or encrypted port knocking, I forget
the name, where when your server receives a single packet which causes
whatever effects you want. These methods would be far more secure than
DNSSEC too.