Phil Vandry wrote: > Hello again Martin, > > On Mon, Feb 01, 2010 at 11:48:30AM +1300, martin f. krafft wrote: > > +if ! echo "$MD5SUM" | md5sum -c 2>&1; then > > + invoke-rc.d unbound force-reload > > +fi > > For unbound, force-reload is actually the same as restart, so > you are forcing it to restart (including discarding the contents > of its cache) every time the nameserver information changes. > Unbound supports dynamically setting the upstream resolvers > using unbound-control. I believe that's both cleaner (no messy > files in /var/cache) and less disruptive. > > I have attached a script /etc/resolvconf/update.d/unbound > that does it the unbound-control way, in case you're interested.
note that the stock unbound package does not set up unbound-control:
root@bst:~# unbound-control status
[1297895369] unbound-control[336:0] warning: control-enable is 'no' in the
config file.
error: Error setting up SSL_CTX client key and cert
336:error:02001002:system library:fopen:No such file or
directory:bss_file.c:356:fopen('/etc/unbound/unbound_control.pem','r')
336:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
336:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system
lib:ssl_rsa.c:470:
root@bst:~#
the BIND9 equivalent to unbound-control is rndc, and i believe the bind9
package automatically sets up the necessary rndc shared secret.
should the unbound package automatically set up the necessary key
material and configuration for unbound-control?
also note that rndc is available in a separate package (bind9utils).
should unbound-control{,-setup} go in a separate unbound-utils package
as well, so that one can control a remote unbound server without
installing the unbound package?
--
Robert Edmonds
edmo...@debian.org
signature.asc
Description: Digital signature
