Hi there.
I configured unbound as a cache before bind(named).
e.g.:
stub zone:
name: "xxx.domain.com"
stub-addr: <ip-address bind>
Can I force unbound to give authoritative answers for
this zone ??
thanks a lot.
Hi Vadim,
W.C.A. Wijngaards wrote:
Hi Vadim,
I configured unbound as a cache before bind(named).
e.g.:
stub zone:
name: "xxx.domain.com"
stub-addr: <ip-address bind>Can I force unbound to give authoritative answers for
this zone ??No, because unbound is a recursive only server.
If you are looking for a server to mirror your bind domain,
perhaps http://nlnetlabs.nl/projects/nsd can do that (NSD is an authoritative only server).
Ok. But i needn't another authoritative server I have a such one - bind.
I just want that unbound set AA flag in the answer packages for my dns zones.
Can I make it?
Thanks.
Ok. But i needn't another authoritative server I have a such one - bind.
I just want that unbound set AA flag in the answer packages for my dns
zones.
Why? More specific: Why you need recursive server to return
authoritative answer instead of using authoritative server?
Ondrej
Ondřej Surý wrote:
Ok. But i needn't another authoritative server I have a such one - bind.
I just want that unbound set AA flag in the answer packages for my dns
zones.
Why? More specific: Why you need recursive server to return
authoritative answer instead of using authoritative server?Ondrej
I dont want to show my authoritative server (bind) to external network(internet), because it's heavier
and slower than unbound. Therefore I want that unbound will answer all dns requests, _cache_ them and
make "bind" life easier. I regard unbound as a cache layer before authoritative server.
internet
>
cache layer (unbound)
>
authoritative servers (bind)
What do you think about such idea? 
Ok. But i needn't another authoritative server I have a such one - bind.
I just want that unbound set AA flag in the answer packages for my dns
zones.Why? More specific: Why you need recursive server to return
authoritative answer instead of using authoritative server?Ondrej
I dont want to show my authoritative server (bind) to external
network(internet), because it's heavier
and slower than unbound. Therefore I want that unbound will answer all dns
requests, _cache_ them and
make "bind" life easier. I regard unbound as a cache layer before
authoritative server.internet
>
cache layer (unbound)
>
authoritative servers (bind)What do you think about such idea?
That it's very bad idea. Use nsd if you want faster and lighter
authoritative DNS server.
You can still have bind as a master, just setup nsd as slave.
Ondrej
If you are looking for a server to mirror your bind domain,
perhaps http://nlnetlabs.nl/projects/nsd can do that (NSD is an
authoritative only server).Ok. But i needn't another authoritative server I have a such one - bind.
I just want that unbound set AA flag in the answer packages for my dns
zones.
This should not be necessary, why do you want it to?
Can I make it?
No, that would be a lie.
(but, there is an escape hatch, if you implement something weird
in pythonmod you can set whatever flag you like on a response).
Best regards,
Wouter
Well, I agree with Ondrej, what you want is run NSD as a slave
to the existing bind server, with only NSD visible from the outside.
Instead of caching it performs zone transfers.
Best regards,
Wouter
W.C.A. Wijngaards wrote:
But As far as I know NSD doesn't have a cache, so under heavy load
NSD will load disk.
My zone with 1.2 Million records ad takes 120MB of RAM. Nsd does not
need a cache.
I have plenty of zones, so I want to protect my authoritative
servers from burst of requests, ddos and so on.
Protect from what? It seems like you want to protect the auth servers
on the inside, while they need to be contacted by the inside and the
outside? In that case, like others have said before, use a secondary on
outside pulling from your primary on the inside.
Paul
Have you measured this?
Why has everyone gotten into premature optimization lately?
Simon
But As far as I know NSD doesn't have a cache, so under heavy load
NSD will load disk. I have plenty of zones, so I want to protect my
authoritative servers from burst of requests, ddos and so on.
That's very wrong thinking. I don't have hard numbers, but from design
POV I guess nsd will be faster, since it does have much simpler data
structures - all data are static and lookup algorithms could be very
optimal.
Anyway I don't know what zone do you have, but people (here) run
authoritative server for root and TLD zones and don't have problems
with "burst of requests, ddos and so on".
Ondrej