From owner-freebsd-questions@FreeBSD.ORG Thu May 22 05:25:30 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 940BD106564A for ; Thu, 22 May 2008 05:25:30 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id CCEBC8FC20 for ; Thu, 22 May 2008 05:25:29 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id m4M5P7o5075987; Thu, 22 May 2008 06:25:09 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.5.5 smtp.infracaninophile.co.uk m4M5P7o5075987 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1211433909; bh=TnCz05fnemUjqV lP+4fXNLLmqsWyplVpT9NHRuAF1Kg=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<483503AD.60801@infracaninophile.co.uk>|Date:=20Thu,=202 2=20May=202008=2006:25:01=20+0100|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User-A gent:=20Thunderbird=202.0.0.14=20(X11/20080503)|MIME-Version:=201.0 |To:=20Jonathan=20Chen=20|CC:=20Steve=20Bertrand= 20,=20freebsd-questions@freebsd.org|Subject:= 20Re:=20Multiple=20instances=20of=20BIND=20at=20startup|References: =20<48345138.8080507@ibctech.ca>=09<4834599A.1090108@infracaninophi le.co.uk>=09<4834A7B4.9030302@ibctech.ca>=09<20080521232319.GA57359 @osiris.chen.org.nz>=09<4834B7EE.3000002@ibctech.ca>=09<20080522020 619.GA69543@osiris.chen.org.nz>=09<4834D891.6050707@ibctech.ca>=20< 20080522035913.GA78449@osiris.chen.org.nz>|In-Reply-To:=20<20080522 035913.GA78449@osiris.chen.org.nz>|X-Enigmail-Version:=200.95.6|Con tent-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20p rotocol=3D"application/pgp-signature"=3B=0D=0A=20boundary=3D"------ ------enig8E947F30733EBB13EBF4DF4E"; b=Vub5PEX0ZR5zhx96jSn5iPu67zQC LC5ocZu1EMDfENWqkbdqbBicCU4MeTfNCg5wsyrfFdIsGwdtgH2+JPiCSmwWAAEyaDt itYMEdNphDWk2Vm4OmigcMCrbHg2Pbhz9IL6SnmNKT5mAahrn+uszmZIQoIdg/j10Tj o55bB2rrA= Message-ID: <483503AD.60801@infracaninophile.co.uk> Date: Thu, 22 May 2008 06:25:01 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.14 (X11/20080503) MIME-Version: 1.0 To: Jonathan Chen References: <48345138.8080507@ibctech.ca> <4834599A.1090108@infracaninophile.co.uk> <4834A7B4.9030302@ibctech.ca> <20080521232319.GA57359@osiris.chen.org.nz> <4834B7EE.3000002@ibctech.ca> <20080522020619.GA69543@osiris.chen.org.nz> <4834D891.6050707@ibctech.ca> <20080522035913.GA78449@osiris.chen.org.nz> In-Reply-To: <20080522035913.GA78449@osiris.chen.org.nz> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig8E947F30733EBB13EBF4DF4E" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Thu, 22 May 2008 06:25:09 +0100 (BST) X-Virus-Scanned: ClamAV version 0.93, clamav-milter version 0.93 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on happy-idiot-talk.infracaninophile.co.uk Cc: Steve Bertrand , freebsd-questions@freebsd.org Subject: Re: Multiple instances of BIND at startup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2008 05:25:30 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig8E947F30733EBB13EBF4DF4E Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Jonathan Chen wrote: > On Wed, May 21, 2008 at 10:21:05PM -0400, Steve Bertrand wrote: >=20 > [...] >> My authoritative name server (service, eventually cluster) will=20 >> eventually house about 500 domains, which I want only recursive DNS=20 >> servers that come from the root .tld down to see (no caching). >> >> The caching name server (service, and eventually cluster) will see ten= s=20 >> of thousands of our clients requests (we are an ISP) to use as their D= NS=20 >> lookup, which will perform recursive lookups that we are not=20 >> authoritative for. >> >> I'm sorry, I don't know how to put it into other words, other than I=20 >> want complete separation from dns authoritative and dns caching servic= es=20 >> to be disparate. >=20 > Let's say your authoritative server is listening on IP-A, and your > caching server is listening on IP-B; both ip-addresses are on the same > host. We can have a named instance listening on both addresses, with > multiple views like: >=20 > /* > Used by root .tld. > */ > view "authoritative" > { > match-destination > { > IP-A; > }; > recursion no; >=20 > zone "my.authoritative.org" > { > type master; > ... > }; > .... > } >=20 > /* > Use by our client requests. > */ > view "caching" > { > match-destination > { > IP-B; > }; > recursion yes; >=20 > zone "my.authoritative.org" > { > type master; > ... > }; > .... > } >=20 > The "match-destination" inspects the DNS address used by the client to > query to determine which view to use. Would this suit your purpose? I believe that the problem is this: even if configured to be an authoritative server, BIND will respond to a query about zones outside what it has authoritative data for with data from its cache if that data is present. As there is only one cache per instance of BIND, enabling any sort of recursive capability on a server that is otherwise meant to be entirely authoritative can lead to data leaking between the authoritative and recursive parts. This opens up the possibility of tricking a server into caching false data and responding with it as if it was authoritative. In answer to the OPs original question -- yes you can start two instances= of BIND given the obvious requirement that they have distinct network=20 addresses and ports, pid files etc. You just have to copy the startup=20 script to a new name and modify the variable prefix internally -- eg. Th= is=20 chunk at the beginning of the script: name=3D"named" rcvar=3Dnamed_enable you'ld modify to say instead: name=3D"named1" rcvar=3Dnamed1_enable -- modifying all of the other instances of variable name prefixes in the = file from named to named1 similarly. Then you'ld put: named1_enable=3D"YES" named1_chroot=3D"/var/named1" named1_pidfile=3D"/var/run/named1/pid" etc. etc. into /etc/rc.conf. You can put your modified named1.sh rc scri= pt=20 into /etc/rc.d/ or /usr/local/etc/rc.d/ -- the latter is probably more = desirable as you won't get prompted to delete the file every time you run= =20 mergemaster -- and the rcorder stuff will cause it to be started at much = the same stage in the boot process as the original named. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig8E947F30733EBB13EBF4DF4E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkg1A7MACgkQ8Mjk52CukIxz4QCdGSaZejcW7t1ME6sbd65Y8Rvn 1CMAn0lkLtKCmaWmWFTxbg+QkKAszIIW =CTdM -----END PGP SIGNATURE----- --------------enig8E947F30733EBB13EBF4DF4E--