From owner-freebsd-ports@FreeBSD.ORG Fri Dec 12 11:19:41 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5D82D41D; Fri, 12 Dec 2014 11:19:41 +0000 (UTC) Received: from mail.xtaz.uk (tao.xtaz.uk [IPv6:2001:8b0:202::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1B9888FC; Fri, 12 Dec 2014 11:19:40 +0000 (UTC) Received: by mail.xtaz.uk (Postfix, from userid 1001) id 4F0FE209AF17; Fri, 12 Dec 2014 11:19:37 +0000 (GMT) Date: Fri, 12 Dec 2014 11:19:37 +0000 From: Matt Smith To: Mathieu Arnold Subject: Re: Unbound/NSD rc startup order Message-ID: <20141212111937.GC52267@xtaz.uk> Mail-Followup-To: Matt Smith , Mathieu Arnold , Scot Hetzel , FreeBSD Ports References: <20141211105139.GA1270@xtaz.uk> <20141212075328.GB52267@xtaz.uk> <548AC04A.8000804@bluerosetech.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Cc: Scot Hetzel , FreeBSD Ports X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Dec 2014 11:19:41 -0000 On Dec 12 12:07, Mathieu Arnold wrote: >+--On 12 décembre 2014 05:00:00 -0600 Scot Hetzel >wrote: >| On Fri, Dec 12, 2014 at 4:15 AM, Darren Pilgrim >| wrote >|> On 12/11/2014 11:53 PM, Matt Smith wrote: >|>> >|>> Somebody has let me know that I made an obvious mistake in the above. I >|>> meant that the default rcorder is to run Unbound first followed by NSD. >|>> So to clarify I think in the default situation Unbound starts first, >|>> contacts NSD and gets no answer because it hasn't been started yet and >|>> then fails in some way. Whereas if NSD is running first then Unbound is >|>> happy. >|> >|> >|> Unbound requires SERVERS, but nsd requires LOGIN, a much later >|> checkpoint. >|> >|> The fix would be adding an rcorder override mechanism whereby one could >|> specify additional constraints (like unbound REQUIRE nsd). If there's >|> interest for this, I can see about a patch. >|> >| Would it be better to add: >| >|# BEFORE: unbound >| >| to the dns/nsd rc.d script? > >Well, the thing is, a resolver is required way before an authoritative >server is. > Yes. I've been thinking that maybe it's actually in the correct order really after all. I've worked around my particular problem by changing the order, but that might not be the case for everyone else. I'm thinking now why actually do I have DNSSEC validation on my local intranet domain and reverse DNS anyway? I run two instances of NSD, one for the LAN which Unbound talks to, and one for the internet which everyone else talks to. It could be argued that I only need to DNSSEC sign the internet copies of the zones and not the LAN ones in which case this problem won't exist. Maybe I should just go down that route instead. -- Matt