Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 22 May 2008 17:57:09 +0200
From:      Beat Siegenthaler <beat.siegenthaler@beatsnet.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Multiple instances of BIND at startup
Message-ID:  <483597D5.8030706@beatsnet.com>
In-Reply-To: <4835634F.6060107@ibctech.ca>
References:  <48345138.8080507@ibctech.ca>	<4834599A.1090108@infracaninophile.co.uk>	<4834A7B4.9030302@ibctech.ca>	<20080521232319.GA57359@osiris.chen.org.nz>	<4834B7EE.3000002@ibctech.ca>	<20080522020619.GA69543@osiris.chen.org.nz>	<4834D891.6050707@ibctech.ca>	<20080522035913.GA78449@osiris.chen.org.nz>	<483503AD.60801@infracaninophile.co.uk> <4835634F.6060107@ibctech.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 

Steve Bertrand wrote:
> 
> 
>> I believe that the problem is this: even if configured to be an
>> authoritative server, BIND will respond to a query about zones
>> outside what it has authoritative data for with data from its cache
>> if that data is present.  As there is only one cache per instance of
>> BIND, enabling any sort of recursive capability on a server that is
>> otherwise meant to be entirely authoritative can lead to data leaking
>> between the authoritative and recursive parts.  This opens up the
>> possibility of tricking a server into caching false data and responding
>> with it as if it was authoritative.

I cannot believe this, I want to research this myself (and the impact to 
my designs.

Maybe it is the time to give unbound a try:

[root@ATOM:/usr/ports/dns/unbound] # cat pkg-descr
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run as
a server, but are linked into an application) are easily possible.

Goals:
     * A validating recursive DNS resolver.
     * Code diversity in the DNS resolver monoculture.
     * Drop-in replacement for BIND apart from config.
     * DNSSEC support.
     * Fully RFC compliant.
     * High performance
           o even with validation.
     * Used as
           o stub resolver.
           o full caching name server.
           o resolver library.
     * Elegant design of validator, resolver, cache modules.
           o provide the ability to pick and choose modules.
     * Robust.
     * In C, open source: The BSD license.
     * Smallest as possible component that does the job.
     * Stub-zones can be configured (local data or AS112 zones).

Non-goals:
     * An authoritative name server.
     * Too many Features.

WWW: http://unbound.net

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?483597D5.8030706>