Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Slave not downloading new zonefile upon update #140

Closed
jimc-leones opened this issue Jan 5, 2020 · 3 comments
Closed

Slave not downloading new zonefile upon update #140

jimc-leones opened this issue Jan 5, 2020 · 3 comments
Assignees

Comments

@jimc-leones
Copy link

Version: unbound-1.9.6 from OpenSuSE Tumbleweed

I think this is a documentation issue and/or a feature request. The
symptom is, I have a master, two slaves, and leaf nodes, all running
unbound. The slaves fail to download new zonefiles upon updates. The
auth-zone section on the slaves, after (successful) workarounds, goes
like this:

auth-zone:
name: "cft.ca.us."
master: 192.9.200.193
url: "http://192.9.200.193/unbound-master/cft.zone"
zonefile: "/var/lib/unbound/slave/cft.zone"

Workaround #1: By reading the source code I discovered that unbound (as
a slave) can make AXFR/IXFR queries to retrieve a zone but (as master)
cannot respond to them. This corresponds to my experience when I had
Bind running on the master. Doing the URL thing got the zonefiles
coming in. I wish the documentation had been a little clearer on this
point. And I'd like to up-vote the feature request to add AXFR/IXFR
responses, so unbound can be a complete DNS server solution.

Workaround #2: One of the DNSSEC tutorials had a great photo of a
chicken looking at an egg. Initially my URL was
"https://jacinth.cft.ca.us:1447/unbound-master/cft.zone". But the 'A'
and AAAA records for Jacinth are in the zonefile that unbound is trying
to download. Thus the download didn't happen. I realized that
Jacinth's webserver is restricted to the internal net and VPNs, so I
could just switch to http://IPADDR/. Now it's downloading. I think
it would be helpful to warn users in the man page about this chicken
and egg issue.

How about a feature request: make a generic pair of commands:
local-data-hint: "name TTL type value" and hint-file: "zonefile-name".
This would have the same effect as root-hints, and in fact could replace
that command (except for the backward compatibility issue), but it could
be used in any context, specifically auth-zone: (and forward-zone:?)
Then the hostname in the url: and other parameters could be given
alphabetically, making the config file more rmaintainable.

@wcawijngaards wcawijngaards self-assigned this Jan 6, 2020
@wcawijngaards
Copy link
Member

Thank you for the description on making this work.

I had not realized that we need warnings to avoid circular lookup dependencies on the name used to look up the data. Using a plain IP address is the best solution. It is better than the hint solution you suggest. (And also what we suggest users of NSD, our authoritative DNS server, to use for configuration.) Otherwise you end up relying on the DNS infrastructure to be up in order to make the DNS infrastructure work, but with a plain IP address this dependency is not there, and thus, in the network, the services can come on-line independent of the other parts.

AXFR/IXFR service would be a nice feature, but I'll close this as a documentation bugreport. If you really need it, we have NSD, a server that does authoritative only service. And it provides AXFR (but not IXFR) service for zones. And also sends NOTIFY messages to downstream servers so that they fetch the data.

By the way, unbound is capable of receiving NOTIFY messages to make it fetch from the url (or from the master) if you want that. It can be triggered by shell script with something like eg. dig +opcode=notify or ldns-notify, or with notify: or also-notify configuration statements.

Best regards, Wouter

@jimc-leones
Copy link
Author

jimc-leones commented Jan 7, 2020 via email

@spirillen
Copy link

Hi @jimc-leones I didn't read your entire post (tldr;) but i noticed this part

However I still need a recursive and validating local server on the master site

How you been looking at www.powerdns.com by @ahupowerdns @Habbie ?

PS: Sorry for mentions competitors from a different repo/project, but the end result should be the measurement tools, In the same manor that I recommends Unbound despite i use the recursor myself 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants