From owner-freebsd-questions@FreeBSD.ORG Thu May 22 12:15:05 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5B501065680 for ; Thu, 22 May 2008 12:15:05 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: from pearl.ibctech.ca (pearl.ibctech.ca [208.70.104.210]) by mx1.freebsd.org (Postfix) with ESMTP id 743308FC23 for ; Thu, 22 May 2008 12:15:04 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: (qmail 58003 invoked by uid 1002); 22 May 2008 12:15:04 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(208.70.104.100):. Processed in 1.702684 secs); 22 May 2008 12:15:04 -0000 Received: from unknown (HELO ?192.168.30.110?) (steve@ibctech.ca@208.70.104.100) by pearl.ibctech.ca with (DHE-RSA-AES256-SHA encrypted) SMTP; 22 May 2008 12:15:00 -0000 Message-ID: <4835634F.6060107@ibctech.ca> Date: Thu, 22 May 2008 08:13:03 -0400 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: Matthew Seaman References: <48345138.8080507@ibctech.ca> <4834599A.1090108@infracaninophile.co.uk> <4834A7B4.9030302@ibctech.ca> <20080521232319.GA57359@osiris.chen.org.nz> <4834B7EE.3000002@ibctech.ca> <20080522020619.GA69543@osiris.chen.org.nz> <4834D891.6050707@ibctech.ca> <20080522035913.GA78449@osiris.chen.org.nz> <483503AD.60801@infracaninophile.co.uk> In-Reply-To: <483503AD.60801@infracaninophile.co.uk> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org, Jonathan Chen Subject: Re: Multiple instances of BIND at startup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2008 12:15:05 -0000 >> The "match-destination" inspects the DNS address used by the client to >> query to determine which view to use. Would this suit your purpose? Well, yes, it would suit the purpose, but my fear was exactly that of what Matthew states below about 'leaking'. > I believe that the problem is this: even if configured to be an > authoritative server, BIND will respond to a query about zones > outside what it has authoritative data for with data from its cache > if that data is present. As there is only one cache per instance of > BIND, enabling any sort of recursive capability on a server that is > otherwise meant to be entirely authoritative can lead to data leaking > between the authoritative and recursive parts. This opens up the > possibility of tricking a server into caching false data and responding > with it as if it was authoritative. > > In answer to the OPs original question -- yes you can start two instances > of BIND given the obvious requirement that they have distinct network > addresses and ports, pid files etc. You just have to copy the startup > script to a new name and modify the variable prefix internally -- eg. > This chunk at the beginning of the script: This is exactly what I'm after. Thank you for all the help! Steve