You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think this is a documentation issue and/or a feature request. The
symptom is, I have a master, two slaves, and leaf nodes, all running
unbound. The slaves fail to download new zonefiles upon updates. The
auth-zone section on the slaves, after (successful) workarounds, goes
like this:
Workaround #1: By reading the source code I discovered that unbound (as
a slave) can make AXFR/IXFR queries to retrieve a zone but (as master)
cannot respond to them. This corresponds to my experience when I had
Bind running on the master. Doing the URL thing got the zonefiles
coming in. I wish the documentation had been a little clearer on this
point. And I'd like to up-vote the feature request to add AXFR/IXFR
responses, so unbound can be a complete DNS server solution.
Workaround #2: One of the DNSSEC tutorials had a great photo of a
chicken looking at an egg. Initially my URL was
"https://jacinth.cft.ca.us:1447/unbound-master/cft.zone". But the 'A'
and AAAA records for Jacinth are in the zonefile that unbound is trying
to download. Thus the download didn't happen. I realized that
Jacinth's webserver is restricted to the internal net and VPNs, so I
could just switch to https://IPADDR/. Now it's downloading. I think
it would be helpful to warn users in the man page about this chicken
and egg issue.
How about a feature request: make a generic pair of commands:
local-data-hint: "name TTL type value" and hint-file: "zonefile-name".
This would have the same effect as root-hints, and in fact could replace
that command (except for the backward compatibility issue), but it could
be used in any context, specifically auth-zone: (and forward-zone:?)
Then the hostname in the url: and other parameters could be given
alphabetically, making the config file more rmaintainable.
