After testing unbound for a couple days I really like how simple it is to use as a caching server.
My main reason for trying unbound was the min-cache-ttl
After testing unbound on 4 caching servers for a few days there are a few things you could add to unbound that could really make it perfect.
-
There really needs to be a min-neg-cache-ttl which overrides the min-cache-ttl for non-existent domains
-
I agree with Jiri unbound needs an acl type for only non recursive (cache or local lookups) (http://unbound.net/pipermail/unbound-users/2014-February/003181.html)
a. Our reason for this, is to restrict recursion loops in any fabric forward first configuration (which works ok with bind)
i. Check localhost for cache if not found
ii. Check forward hosts (cache / local) for entry if not found
iii. Do local root lookup locally to go onto the internet and find the answer.
Id be happy to help test these features if these are something that can be implemented.
If you know of a way to accomplish these things in the unbound in its current form please let me know!
Keep up the good work!
-Jim
To clarify when I say min-neg-cache-ttl im not sure its oblivious but I mean
We need
min-neg-cache-ttl – minimum time to store no results for a query
and
max-neg-cache-ttl – max time to store no results for a query
Has anyone made a restart script that dumps cache to file, then restart and imports the cache back in?
Whats the likely hood that’s going to “work” reliably? 
-Jim
Has anyone made a restart script that dumps cache to file, then restart and imports the cache back in?
pfSense has such a thing.
Whats the likely hood that’s going to “work” reliably?
In theory, it should be possible, I suppose. pfSense's doesn't work reliably. Do you find yourself restarting production unbound instances often enough that dumping the cache causes operational issues?
Ive been using this for a couple days as simple as it is, it works pretty good.
The sleep is required because the stop issues an "ok" but the program is still running, (cant bind port)
Occasionally we see an ssl error, on the load_cache line, but it does load all the records "~ok~" and works.
unbound-control dump_cache > /root/dump_cache.data;
unbound-control stop;
sleep 2;
unbound-control start;
cat /root/dump_cache.data | unbound-control load_cache;
is this the timeout for non existant domains? Is that what lame means?
# the time to live (TTL) value for cached roundtrip times, lameness and
# EDNS version information for hosts. In seconds.
# infra-host-ttl: 900
Or does this type of ttl not exist at this time?
I am also still wondering about the possablity for a non recursive (cache/local) only acl.
<3 pfsense
For what it is worth I have run into the lack of a knob to control the
negative cache TTL as well. I am currently looking at replacing some
BIND based resolvers for a fairly large site and they are running with
"max-ncache-ttl" to force a lower TTL of NXDOMAIN results.
I realize this might qualify as feature creep and I have been thinking
that not having the functionality could be considered a good way to
force people to fix the SOA minimum field instead. I guess this is not
always feasible though.
Regards,
Patrik Lundin