Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FR] modify behaviour of unbound-control rpz_enable zone (or ...) #678

Closed
jpgpi250 opened this issue May 15, 2022 · 2 comments
Closed

[FR] modify behaviour of unbound-control rpz_enable zone (or ...) #678

jpgpi250 opened this issue May 15, 2022 · 2 comments
Assignees

Comments

@jpgpi250
Copy link

unbound-control can disable / enable a zone (syntax, example zone doh: sudo /usr/sbin/unbound-control rpz_enable doh

The doh zone has the following `header:

$TTL 30
@ SOA jpgpi250.github.io. hostmaster.jpgpi250.github.io. 2205150849 86400 1800 604800 30
NS localhost.

which implies, if I'm not wrong, unbound will fetch the latest version once a day. This time frame (24h) will start when unbound starts and fetches the zone.

The script that generates the zone runs once a day, if however unbound is (re)started shortly before the new data becomes available, unbound uses the old data for almost a day.

It would be very usefull to change the behaviour of unbound-control rpz_enable ( or, see below), so that the zone file would be refreshed immediatly, once the zone is enabled. This would allow for:

  • generate new zone file (script, that has nothing to do with unbound)
  • disable the rpz zone (sudo /usr/sbin/unbound-control rpz_disable doh)
  • enable the rpz zone (sudo /usr/sbin/unbound-control rpz_enable doh), and thus fetch the latest zone data.

of course, I'm not opossed to an additional (new) unbound-control command: unbound-control rpz-refresh zone ...

for now, I'm forced to restart unbound to force an update, as unbound-control reload doesn't appear to force a refresh (fetch the latest zone dat from source).

@gthess gthess self-assigned this May 15, 2022
@gthess
Copy link
Member

gthess commented May 15, 2022

Hello there,
I wouldn't like for the enable action to have implicit results i.e., transferring the zone.
Since RPZ zones share the same behavior as auth zones in Unbound, there is already the command unbound-control auth_zone_transfer that could be used to initiate a new transfer from master for a configured zone (auth or RPZ).
I believe this is exactly what you are asking.
I will update the unbound-control documentation to reflect that.

@gthess gthess closed this as completed in f73e548 May 15, 2022
@jpgpi250
Copy link
Author

tested, correct, sudo /usr/sbin/unbound-control auth_zone_transfer "doh" works as desired.

Thanks for your time and effort.

jedisct1 added a commit to jedisct1/unbound that referenced this issue May 25, 2022
* nlnet/master:
  - Fix some lint type warnings.
  - Fix ede test to not use default pidfile, and use local interface.
  - Fix to silence test for ede error output to the console from the   test setup script.
  - Fix typos in config_set_option for the 'num-threads' and   'ede-serve-expired' options.
  - Fix NLnetLabs#678: [FR] modify behaviour of unbound-control rpz_enable zone,   by updating unbound-control's documentation.
  - For NLnetLabs#677: Added tls-system-cert to config parser and documentation. - Changelog note for NLnetLabs#677.
  Allow using system certificates not only on Windows
  - Fix NLnetLabs#417: prefetch and ECS causing cache corruption when used   together.
  - Fix NLnetLabs#673: DNS over TLS: error: SSL_handshake syscall: No route to   host.
  - Fix Python build in non-source directory; based on patch by   Michael Tokarev.
  Changelog entry for NLnetLabs#604: Add the basic EDE (RFC8914) cases
  Add the basic EDE (RFC8914) cases (NLnetLabs#604)
  - Fix NLnetLabs#670: SERVFAIL problems with unbound 1.15.0 running on   OpenBSD 7.1.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants