Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 23 May 2008 08:39:32 +1200
From:      Jonathan Chen <jonc@chen.org.nz>
To:        Matthew Seaman <m.seaman@infracaninophile.co.uk>
Cc:        Steve Bertrand <iaccounts@ibctech.ca>, freebsd-questions@freebsd.org
Subject:   Re: Multiple instances of BIND at startup
Message-ID:  <20080522203932.GA74897@osiris.chen.org.nz>
In-Reply-To: <4835634F.6060107@ibctech.ca>
References:  <48345138.8080507@ibctech.ca> <4834599A.1090108@infracaninophile.co.uk> <4834A7B4.9030302@ibctech.ca> <20080521232319.GA57359@osiris.chen.org.nz> <4834B7EE.3000002@ibctech.ca> <20080522020619.GA69543@osiris.chen.org.nz> <4834D891.6050707@ibctech.ca> <20080522035913.GA78449@osiris.chen.org.nz> <483503AD.60801@infracaninophile.co.uk> <4835634F.6060107@ibctech.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Thu, May 22, 2008 at 08:13:03AM -0400, Steve Bertrand wrote:
> 
> >>The "match-destination" inspects the DNS address used by the client to
> >>query to determine which view to use. Would this suit your purpose?
> 
> Well, yes, it would suit the purpose, but my fear was exactly that of 
> what Matthew states below about 'leaking'.
> 
> >I believe that the problem is this: even if configured to be an
> >authoritative server, BIND will respond to a query about zones
> >outside what it has authoritative data for with data from its cache
> >if that data is present.  As there is only one cache per instance of
> >BIND, enabling any sort of recursive capability on a server that is
> >otherwise meant to be entirely authoritative can lead to data leaking
> >between the authoritative and recursive parts.  This opens up the
> >possibility of tricking a server into caching false data and responding
> >with it as if it was authoritative.

If this were true, the "view" feature would be broken. I've just tried
this with a client-based ACL, and there doesn't appear to any
cache-leaking across views. Any counter-examples would be welcome.

Cheers.
-- 
Jonathan Chen <jonc@chen.org.nz>
----------------------------------------------------------------------
                                          Experience is a hard teacher
               because she gives the test first, the lesson afterwards

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080522203932.GA74897>