Date: Fri, 12 Dec 2014 11:19:37 +0000 From: Matt Smith <fbsd@xtaz.co.uk> To: Mathieu Arnold <mat@FreeBSD.org> Cc: Scot Hetzel <swhetzel@gmail.com>, FreeBSD Ports <freebsd-ports@freebsd.org> Subject: Re: Unbound/NSD rc startup order Message-ID: <20141212111937.GC52267@xtaz.uk> In-Reply-To: <C8B285F72A4A90FB988ED516@atuin.in.mat.cc> References: <20141211105139.GA1270@xtaz.uk> <20141212075328.GB52267@xtaz.uk> <548AC04A.8000804@bluerosetech.com> <CACdU%2Bf8ECBJr4VrLXhu1%2BKJfnq5=%2BWdFqm8DAZn5S_TUAFxJqw@mail.gmail.com> <C8B285F72A4A90FB988ED516@atuin.in.mat.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 12 12:07, Mathieu Arnold wrote: >+--On 12 décembre 2014 05:00:00 -0600 Scot Hetzel <swhetzel@gmail.com> >wrote: >| On Fri, Dec 12, 2014 at 4:15 AM, Darren Pilgrim >| <list_freebsd@bluerosetech.com> wrote >|> On 12/11/2014 11:53 PM, Matt Smith wrote: >|>> >|>> Somebody has let me know that I made an obvious mistake in the above. I >|>> meant that the default rcorder is to run Unbound first followed by NSD. >|>> So to clarify I think in the default situation Unbound starts first, >|>> contacts NSD and gets no answer because it hasn't been started yet and >|>> then fails in some way. Whereas if NSD is running first then Unbound is >|>> happy. >|> >|> >|> Unbound requires SERVERS, but nsd requires LOGIN, a much later >|> checkpoint. >|> >|> The fix would be adding an rcorder override mechanism whereby one could >|> specify additional constraints (like unbound REQUIRE nsd). If there's >|> interest for this, I can see about a patch. >|> >| Would it be better to add: >| >|# BEFORE: unbound >| >| to the dns/nsd rc.d script? > >Well, the thing is, a resolver is required way before an authoritative >server is. > Yes. I've been thinking that maybe it's actually in the correct order really after all. I've worked around my particular problem by changing the order, but that might not be the case for everyone else. I'm thinking now why actually do I have DNSSEC validation on my local intranet domain and reverse DNS anyway? I run two instances of NSD, one for the LAN which Unbound talks to, and one for the internet which everyone else talks to. It could be argued that I only need to DNSSEC sign the internet copies of the zones and not the LAN ones in which case this problem won't exist. Maybe I should just go down that route instead. -- Matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141212111937.GC52267>