I’m a brand new user of the mailing list. I work for ThreatSTOP which makes RPZ’s available on a variety of DNS platforms.
Recently we’ve been asked to support unbound.
Several years ago I looked at this and, at the time, there was no way to use a TSIG key to secure zone transfers and looking at the documentation today that seems to still be the case.
I have an ubuntu based example server running that I am able to get RPZ into by means of an external shell script that does a dig and sed pipeline. Is this the preferred method? And/or has someone got clear documentation on how to do this better?
I will be happy to contribute my example configs (and RPZ update script) back to the project if there are no better ones around.
I have two questions, assuming that the shell script method is the correct approach
I’m a brand new user of the mailing list. I work for ThreatSTOP which makes RPZ’s available on a variety of DNS platforms.
Recently we’ve been asked to support unbound.
Several years ago I looked at this and, at the time, there was no way to use a TSIG key to secure zone transfers and looking at the documentation today that seems to still be the case.
Indeed, although adding TSIG support for zone transfers is part of our plans.
I have an ubuntu based example server running that I am able to get RPZ into by means of an external shell script that does a dig and sed pipeline. Is this the preferred method? And/or has someone got clear documentation on how to do this better?
I will be happy to contribute my example configs (and RPZ update script) back to the project if there are no better ones around.
I have two questions, assuming that the shell script method is the correct approach
1. Once I have updated the rpz zonefile, should I use “unbound-control
reload” to get the new RPZ in or is there a better alternative
(auth_zone_reload )?
Reloading just that one zone is better time-wise.
Based on the contents of the RPZ zone itself (the kind of triggers it uses, in particular rpz-nsdname and rpz-nsip since these will access records already in the cache), also emptying the cache through a regular reload may be what you need instead.
2. I think I’m correct that unbound-control log_reopen should be called
in the postrotate stanza of a logroate.d config ?
If you specify your own configuration file then yes.
If not, then logs are directed to the syslog which should be rotated automatically.