From owner-freebsd-questions@FreeBSD.ORG  Thu May 22 20:39:34 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D15071065684
	for <freebsd-questions@freebsd.org>;
	Thu, 22 May 2008 20:39:34 +0000 (UTC)
	(envelope-from jonc@chen.org.nz)
Received: from chen.org.nz (ip-58-28-152-174.static-xdsl.xnet.co.nz
	[58.28.152.174])
	by mx1.freebsd.org (Postfix) with ESMTP id 6D2718FC13
	for <freebsd-questions@freebsd.org>;
	Thu, 22 May 2008 20:39:34 +0000 (UTC)
	(envelope-from jonc@chen.org.nz)
Received: by chen.org.nz (Postfix, from userid 1000)
	id 4F9AD2841C; Fri, 23 May 2008 08:39:32 +1200 (NZST)
Date: Fri, 23 May 2008 08:39:32 +1200
From: Jonathan Chen <jonc@chen.org.nz>
To: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Message-ID: <20080522203932.GA74897@osiris.chen.org.nz>
References: <48345138.8080507@ibctech.ca>
	<4834599A.1090108@infracaninophile.co.uk>
	<4834A7B4.9030302@ibctech.ca>
	<20080521232319.GA57359@osiris.chen.org.nz>
	<4834B7EE.3000002@ibctech.ca>
	<20080522020619.GA69543@osiris.chen.org.nz>
	<4834D891.6050707@ibctech.ca>
	<20080522035913.GA78449@osiris.chen.org.nz>
	<483503AD.60801@infracaninophile.co.uk>
	<4835634F.6060107@ibctech.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4835634F.6060107@ibctech.ca>
User-Agent: Mutt/1.4.2.3i
Cc: Steve Bertrand <iaccounts@ibctech.ca>, freebsd-questions@freebsd.org
Subject: Re: Multiple instances of BIND at startup
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 May 2008 20:39:34 -0000

On Thu, May 22, 2008 at 08:13:03AM -0400, Steve Bertrand wrote:
> 
> >>The "match-destination" inspects the DNS address used by the client to
> >>query to determine which view to use. Would this suit your purpose?
> 
> Well, yes, it would suit the purpose, but my fear was exactly that of 
> what Matthew states below about 'leaking'.
> 
> >I believe that the problem is this: even if configured to be an
> >authoritative server, BIND will respond to a query about zones
> >outside what it has authoritative data for with data from its cache
> >if that data is present.  As there is only one cache per instance of
> >BIND, enabling any sort of recursive capability on a server that is
> >otherwise meant to be entirely authoritative can lead to data leaking
> >between the authoritative and recursive parts.  This opens up the
> >possibility of tricking a server into caching false data and responding
> >with it as if it was authoritative.

If this were true, the "view" feature would be broken. I've just tried
this with a client-based ACL, and there doesn't appear to any
cache-leaking across views. Any counter-examples would be welcome.

Cheers.
-- 
Jonathan Chen <jonc@chen.org.nz>
----------------------------------------------------------------------
                                          Experience is a hard teacher
               because she gives the test first, the lesson afterwards