I was trying to use auth-zone and I succeeded in getting it running.
Simple example.com and in-addr.arpa zones.
Then I used ldns-keygen, ldns-signzone and created signed zones.
When I was trying to transfer the zone I figured out that unbound don’t do AXFR or IXFR.
In the doc
If you point it at another Unbound instance, it would not work
because that does not support AXFR/IXFR for the zone, but if you
used url: to download the zonefile as a text file from a web-
server that would work.
Is there any reason for this working that way?
Unbound was written for the same people* that write NSD, correct?
Even the same lib LDNS is present in the code.
ps. a long time since 1.7.1 was released, I needed to compile the develop branch (1.7.2), since there are a lot of corrections, leak stuff, …)
Unbound already has auth-zone, update using http :O, why don’t AXFR and IXFR?
XFR also provides security, best I know.
Is this related with no time to code? A software design?
Are There plans support XFR?
I can try to code and make a Pull Request?
Or is there some other reason, and this can’t be done?
I want to just use unbound, don’t want to use nsd or bind with stub.
If I understand your questions correctly. I think you misunderstood unbound' purpose.
Unbound, altho it runs as a service, is more a Client. Much the same as your
web browser is a web client, not a web server. It searches and looks at web pages.
It doesn't create or serve them. It's much the same with Unbound. While you could
technically dump the query chain from the query log to a zone file. It's not it's
intent to this sort of thing. What you're asking about is more the function of an
authoritative name server, not a recursive server (client).
HTH
--Chris
Hi,
I understand the unbound purpose, as a recursive dns server.
Unbound has auth-zone but doesn’t act as fully authoritative?
As the doc:
- for-downstream: yes, and when used in this manner make unbound respond like an authority server.
If I understand right and want to be fully authoritative I need NSD or BIND9?
I read some parts of the code to understand more.
I have used the same zone in unbound and NSD, and they reply the same way.
If unbound downloads the zone using http without authentication,
And can download the zone receiving XFR replies, why just don’t reply to XFR queries?
Even an AXFR (without IXFR).
Since the first unbound was released, it has grown.
Is there a bigger reason, or is it just because unbound will always be focused on a recursive server?
I don’t want to need to run another daemon with other dependencies, to do something that is already partially done.
That means having another, totally separate control.
If it’s not and will not become possible (even if someone coded that, PR), that’s fine.
It’s just, I really wanted to know if there was a specific reason, as most of the features are already there.
Thanks a lot for the reply.
Hi,
If I understand right and want to be fully authoritative I need NSD or
BIND9? (...)
Very likely. You can use Unbound as an authoritative server for
some types of records (A, AAAA, PTR) but not all (CNAME).
For that reason I'm using Unbound on the local network for all
my clients, but the authority for the local zone home.arpa is
managed with a BIND server (using it with the 'stub-zone'
configuration in the unbound.conf file).
Sincerely,
If you use like
auth-zone:
name: “example.com”
fallback-enabled: no
for-downstream: yes
for-upstream: no
zonefile: “path_to_authzones/example.com.zone”
You can get CNAME working.
CNAME only does not work in local-zones (there are also more RR TYPEs).
As I pointed out, almout every auth resource is implemented.
Using auth-zone.