Hi there,
Would it be possible to add a min/max refresh time when using auth-zone from the upstream? We're trying to move some stuff from BIND (which supports it) to Unbound and use this in a few cases (usually with a pathological upstream or upstream we don't control) but doesn't seem supported.
It it possible, or is there another way to accomplish a more frequent refresh-time for a zone?
-Andrew
This would also be useful if caching an entire zone which is many GB like "com". Not that a residential or small office install should do this. Small ISP may benefit from both preventing errant updates less than an hour and ensuring a clean download every day or two. In general for all resolvers, good authoritative zone pre-cache controls will be necessary for wider adoption of DNSSEC and DANE. Round trips for signatures and validation can be costly to user experience when on fly.
-Eric
Note: DANE has an obvious hurdle to get over. The naughty certificate providers that it bypasses (and so fixes) have an interest in protecting certificate fees they collect. Even when those fees are for certificates to zones they don't have a business relationship with. [ https://www.bankinfosecurity.com/study-finds-custom-market-for-bogus-tls-certificates-a-10680 ]