From owner-freebsd-questions@FreeBSD.ORG Thu May 22 16:23:44 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 52DBC1065672 for ; Thu, 22 May 2008 16:23:44 +0000 (UTC) (envelope-from beat.siegenthaler@beatsnet.com) Received: from ATOM.beatsnet.com (zux165-132.adsl.green.ch [80.254.165.132]) by mx1.freebsd.org (Postfix) with ESMTP id B9E2B8FC23 for ; Thu, 22 May 2008 16:23:43 +0000 (UTC) (envelope-from beat.siegenthaler@beatsnet.com) Received: from [192.168.124.200] (200-internal-wlan.beatsnet.com [192.168.124.200]) (authenticated bits=0) by ATOM.beatsnet.com (8.14.2/8.14.2) with ESMTP id m4MFvA3v088537 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 22 May 2008 17:57:10 +0200 (CEST) (envelope-from beat.siegenthaler@beatsnet.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=beatsnet.com; s=ATOM_DKIM; t=1211471833; bh=aMRBh4eZLLeV7ragiItBVKcXzdKFN9y8hxZE5 zA+5Ds=; h=Message-ID:Date:From:MIME-Version:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=GLbKS5sGoOjt A0H4JCcFdz7d4CrA3DVN5fgLgnNWibLV5cE2mtStN4v/zdHoUnAiRvoEq77VzNyVkaf OZHo5/2//JJLtVADXag3rP2YG0ISktig+Y9p7A/bJsaPLdBvlD8fiuL7RmzNonOcPwe 9XJIRKCnxV75luKrmaacMgHSU= Message-ID: <483597D5.8030706@beatsnet.com> Date: Thu, 22 May 2008 17:57:09 +0200 From: Beat Siegenthaler User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 CC: freebsd-questions@freebsd.org References: <48345138.8080507@ibctech.ca> <4834599A.1090108@infracaninophile.co.uk> <4834A7B4.9030302@ibctech.ca> <20080521232319.GA57359@osiris.chen.org.nz> <4834B7EE.3000002@ibctech.ca> <20080522020619.GA69543@osiris.chen.org.nz> <4834D891.6050707@ibctech.ca> <20080522035913.GA78449@osiris.chen.org.nz> <483503AD.60801@infracaninophile.co.uk> <4835634F.6060107@ibctech.ca> In-Reply-To: <4835634F.6060107@ibctech.ca> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (ATOM.beatsnet.com [172.20.0.45]); Thu, 22 May 2008 17:57:10 +0200 (CEST) X-Spam-Status: No, score=-0.4 required=5.0 tests=ALL_TRUSTED,AWL, MISSING_HEADERS autolearn=no version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on ATOM Subject: Re: Multiple instances of BIND at startup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2008 16:23:44 -0000 Steve Bertrand wrote: > > >> I believe that the problem is this: even if configured to be an >> authoritative server, BIND will respond to a query about zones >> outside what it has authoritative data for with data from its cache >> if that data is present. As there is only one cache per instance of >> BIND, enabling any sort of recursive capability on a server that is >> otherwise meant to be entirely authoritative can lead to data leaking >> between the authoritative and recursive parts. This opens up the >> possibility of tricking a server into caching false data and responding >> with it as if it was authoritative. I cannot believe this, I want to research this myself (and the impact to my designs. Maybe it is the time to give unbound a try: [root@ATOM:/usr/ports/dns/unbound] # cat pkg-descr Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. Goals: * A validating recursive DNS resolver. * Code diversity in the DNS resolver monoculture. * Drop-in replacement for BIND apart from config. * DNSSEC support. * Fully RFC compliant. * High performance o even with validation. * Used as o stub resolver. o full caching name server. o resolver library. * Elegant design of validator, resolver, cache modules. o provide the ability to pick and choose modules. * Robust. * In C, open source: The BSD license. * Smallest as possible component that does the job. * Stub-zones can be configured (local data or AS112 zones). Non-goals: * An authoritative name server. * Too many Features. WWW: http://unbound.net