unbound
unbound copied to clipboard
NLnetLabs
RPZ feature request - zone transfer with hmac-sha256 key
I can't transfer zone for RPZ without hmac-sha256 key, please add this auth functionality for slave zones.
Unfortunately they can only give me this zone as a slave.
In bind/named this feature is present, but I would like to stay on unbound.
This feature seems to be on our planning for next year. In the meanwhile, it is possible to download the zone with dig, and then load it from a zonefile. Configure the zone with zonefile: "nameofzone" then use, dig -y "hmac-sha256:nameofkey:secret" @server zonename AXFR | head -n -6 > nameofzone The head statement is supposed to strip off the last SOA line. And then reload this with for example unbound-control auth_zone_reload nameofzone . You could run this from a timer with cron and get regular updates in that manner.
Adding an option for hmac-sha256 keys similar to NSD would really facilitate RPZ sync in Unbound. Here's the current syntax for NSD:
key:
name: "rpzkey"
algorithm: hmac-sha256
secret: "pGi0avNk2bND68cnJdFkYzGAbvQnQ7yY"
zone:
name: example.rpz
zonefile: example.rpz.zone
provide-xfr: 1.2.3.4 rpzkey
Until this is available in unbound, we can sync with dig, using a script to remove the unwanted lines from the zonefile as described by wcawijngaards.
Any progress @wcawijngaards? Looks like nobody has been officially assigned as yet.
Hi,
it seems that no one is interested in this request anymore. however, I think it could solve some specific use cases.
so I kindly ask for a response from the developers.
many thanks
Hi,
it seems that no one is interested in this request anymore. however, I think it could solve some specific use cases.
so I kindly ask for a response from the developers.
many thanks
Sorry @Antonio-Prado , Maybe I didn't understand you before, but TSIG support for Unbound (for zone transfers) is still very much on the road map.
I know its not helping at all but same with us.
Any plans for the implementation @wcawijngaards ?
