All,
I am wondering if it's possible to issue >1 command over the SSL control channel? Specifically "flush" commands for >1 host. I might want to flush anything from 1-1000 specific hosts from the cache (most commonly 2-10) every few minutes.
Background: We run a set of bind 9 servers as our recursive resolvers. These servers also stealth slave our own zones, which are updated by DDNS from our database. NOTIFY & IXFR therefore ensure the recursive servers always have a "correct" copy of our data, to within a few minutes at most.
I am considering a move away from this model, and was initially reluctant to look at unbound because of the difficulty of maintaining this stealth slave. However it then occurred to me that I could simply "flush" the changed names inside the master update process, since I know what they are.
I don't really want to either lower the TTL or run a 2nd low-TTL copy of our master zones.
From a quick glance the source code seems only to take a single command over the socket; would an attempt at a patch be accepted or useful?
Cheers,
Phil
I am wondering if it's possible to issue >1 command over the SSL control
channel? Specifically "flush" commands for >1 host. I might want to
flush anything from 1-1000 specific hosts from the cache (most commonly
2-10) every few minutes.
...well if all your DDNS stuff is not in your 'main' zone[1] then you
could just use 'flush_zone' instead.
I am considering a move away from this model, and was initially
reluctant to look at unbound because of the difficulty of maintaining
this stealth slave. However it then occurred to me that I could simply
"flush" the changed names inside the master update process, since I
know what they are.
We use BIND9 (pulling from LDAP) for our hidden primary, and shovel our
external view zone to...well yourself and the internal view to two
internal instances of NSD3. These run on the same boxes as unbound,
they give our internal clients recursive action, fronted by some Cisco
IOS SLB action.
The NSD3 daemons are IXFRing so always have the latest copy of
hosts.soas.ac.uk and unbound has a bunch of 'stub-zone' steering them at
localhost (also to deal with the DNS view issue for our regular zones
too).
<shameless-plug>
See me at Networkshop 38 showing just this! 
</shameless-plug>
I'm yet to start calling regularly 'flush_zone', but it is on my todo
list.
Cheers
[1] we have no DDNS entries in 'soas.ac.uk', however we do use it for
'hosts.soas.ac.uk'
The "unbound-control" man page describes this as slow, and "ic.ac.uk" is a big zone, soon to get a lot bigger when we DNSSEC sign it.
I'd prefer not to blow away more of the cache than I have to. As I say, most updates are 1/2 hosts in which case I guess reconnecting to the control channel is not too onerous, but it seems... icky.