named and use of resolv.conf? - how to "learn" this
Matthew Pounsett
matt at conundrum.com
Wed Aug 3 13:59:18 UTC 2016
On 2 August 2016 at 19:50, Evan Hunt <each at isc.org> wrote:
> On Tue, Aug 02, 2016 at 05:04:33PM -0400, Matthew Pounsett wrote:
> > Yes it will. But, as far as I understand, it uses the recursive code
> paths
> > to do that, and won't consult resolv.conf. Yes?
>
> Correct. However, an option to use the system resolver for this instead
> is a feature request we've been considering.
>
> The reason: Whenever we find a security bug that affects recursive
> operation only, someone who runs an auth-only server inevitably asks
> whether their system is affected, and we always have to say, "well,
> *probably* not, but recursive code *is* sometimes used in authoritative
> servers in order to blah blah etc" and it might be nice to just say no.
>
I'd suggest another reason: the auth server should be subject to the same
resolution path/rules as other software in the network. If, for example,
I've got some resolution exception configured in my local recursive servers
(such as a per-zone forwarding rule) it seems likely I'd want the
authoritative server to follow that without having to also configure it
into the authoritative server.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160803/2111aeec/attachment.html>
More information about the bind-users
mailing list