[Unbound-users] unbound + nsd: acl to only allow non-recursive requests?
wouter at nlnetlabs.nl
Tue Feb 11 13:47:47 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 02/11/2014 11:53 AM, Jiri Bohac wrote:
> Hi Wouter,
> On Tue, Feb 11, 2014 at 09:37:27AM +0100, W.C.A. Wijngaards wrote:
>>> On 2014-02-10, at 16:17, Jiri Bohac <jiri at boha.cz> wrote:
I would like to say that Joe Abley's advice is a very good, and you
should see if you can do that. That would likely be a better setup.
If not, let's talk about unbound configuration.
>> The options are called deny_non_local and refuse_non_local.
>> They differ in what you want them to do with the disallowed
>> non-authoritative queries (drop or refuse, refuse is nicer and is
>> more like a regular authority server).
> I looked at the patch, but that only adds acl options for local
> zones. My authoritative zones are served by a locally running NSD
> (on a nonstandard port) that unbound uses through a stub zone.
Yes I see. That would need some sort of patch. Please reconsider
Joe's set up, which is what is recommended by DNS Operations RFCs.
> Do you think adding another two options, e.g. deny_non_stub
> refuse_non_stub would make sense?
> Or perhaps changing deny_non_stub to deny_non_recursive and
> refuse_non_stub to refuse_non_recursive ... and differentiating
> based on the DR bit of the request, instead of the zone?
Don't differentiate based on the +RD bit. Because authority servers
should respond to +RD requests. So this would create a flawed
> I can make, test and post the patches.
What you could make is some sort of configuration option for the
local-zone directive, that is much like the deny_non_local, but allows
these servers to only query that specific zone and not other zones...
Not sure how to do this cleanly. Patches can be stored in unbound's
contrib directory in the source, to benefit others with similar issues.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Unbound-users