auth-zones and DNS NOTIFY

Harry Schmalzbauer list.unbound at omnilan.de
Sat Jun 23 18:26:51 UTC 2018


Am 17.04.2018 um 15:26 schrieb W.C.A. Wijngaards via Unbound-users:
> Hi Harry,
>
> Yes, DNS NOTIFY is implemented in the current code repo version.  You
> can specify additional sources with allow-notify.

Dear all, Wouter,

sorry for bringing it up again, but I'm having real-world problems with 
this nice new auth-zone: and allow-notify: feature ;-)

My auth-zone: has two master: definitions.
It seems that the second defintion is probed first, when a NOTIFY comes 
in (at least if the NOTIFY is not from one of the master); haven't 
verified/falsified, neither by code inspection nor by testing beyond 
lowest level yet.  As long as it's a static and documented behaviour 
everything is fine.

But unfortunately unbound stops probe/xfer-attempts if the fisrt master 
selected/probed doesn't return a higher serial than the NOTIFY posted.
If the NOTIFY matched a allow-notify: definition (not coming from [one 
of] the master), it should continue and probe the second (etc.) master I 
think.  Whether it's sensible to also probe all masters in case the 
NOTIFY came from one of them is beyond my consideration scope atm.  But 
in case the NOTIFY came from non-master, the circumstance/decision 
(allow-notify:) itself legitimates probing all masters in case the first 
responded with not higher serail than NOTIFY posted, imho.

Real world: ActiveDirectory e.g. or any other multi-master backend which 
needs more than 1 ms to replicate upstream.

What do oyu think?

Thanks,

-harry

P.S.: I still have another severe problem with auth-zone: and CNAME 
RRs.  As soon as I keep for-downstream: yes, CNAMEs pointing to other 
zones aren't resolved, although unbound is authoritative for the(se) 
other zone(s) too!
That's unique to unbound afaik.
Is this really intended by design?




More information about the Unbound-users mailing list