I travel to customer sites frequently and when there, I need to add a
forwarder to my workstation's Unbound in order to access (insecured)
zones on a customer's name server. In order to do so, I reconfigure
Unbound with something like this:
Would it be possible to add such a functionality to unbound-control?
Particularly in the light of DNSSEC-trigger gaining in popularity, I
consider that a useful addition.
I can already add individual RR to Unbound, like in
unbound-control local_data printer.mens.de. A 10.0.0.10
A similar command to add an insecure forwarder for individual zones
would be great! Something along the lines of
I build my unbound.conf (like many other configfiles too)
from a subdirectory conaining multiple files using make.
So I could simple do
# echo 'forward-zone...' > /etc/unbound/conf.d/config_of_the_day.conf
# make -C /etc/unbound
(that rebuilds the configfile an reloads unbound)
That's easy enough, indeed, but reloading Unbound destroys forwarders
added by DNSSEC-Trigger as well as any local_data that's been added on
the fly: not good enough.
ok.
I decided not to use unbound-control for any reconfiguration at all.
But if you do so, (and there is nothing wrong in that !)
then the interface should support many/all possible configurations.
That was not possible, when I started using unbound. So I went the "Makefile-way"
That was not possible, when I started using unbound. So I went the
"Makefile-way"
Indeed, and a good method that is.
The only reason I started using unbound-control is because that's what
DNSSEC-trigger uses to configure Unbound's forwarders when it detects
a network configuration change, e.g. DHCP.
I then also realized, that I can slip in an insecure resource record
into a running Unbound -- a functionality I use quite frequently, though
mainly for testing purposes.
One missing function (at least for me) is now to be able to quickly add
an insecure zone on the fly while I'm at a customer site, e.g. example.com.
That was not possible, when I started using unbound. So I went the
"Makefile-way"
Indeed, and a good method that is.
The only reason I started using unbound-control is because that's what
DNSSEC-trigger uses to configure Unbound's forwarders when it detects
a network configuration change, e.g. DHCP.
I then also realized, that I can slip in an insecure resource record
into a running Unbound -- a functionality I use quite frequently, though
mainly for testing purposes.
One missing function (at least for me) is now to be able to quickly add
an insecure zone on the fly while I'm at a customer site, e.g. example.com.
(Just a bit of background)
That could be an option to add to unbound-control.
You could do the Makefile-way, then restore the other settings with
dnssec-trigger-control reprobe (this will restore the unbound forward
stuff).
And unbound-control list_local_data > store_file and then load it again
cat store_file | while read x; do unbound-control local_data "$x" ; done
This is a workaround, and you need to reload the daemon.
