Maintained by: NLnet Labs

[Unbound-users] [wishlist] unbound vs djbdns

Alexander Clouter
Tue Jun 14 21:36:56 CEST 2011


Jaap Akkerhuis <jaap at nlnetlabs.nl> wrote:
>
> > > For security reasons, you shouldn't really parse traffic on a 
> > > production system, though you could write the logfile and do so 
> > > offline.
>    
> > ...which would be a good reason for unbound to do the logging 
> > itself. Unbound has already parsed the DNS packet, by necessity.
> 
> I don't understand this logic. For "security reason" one should not 
> parse traffic on the production box, but it is OK that unbound (that 
> is in prduction on this box) does parse it?
> 
Unbound has already parsed the DNS payload so the security reason is 
probably moot at that point.  I think $poster[-2] was hinting more 
towards a seperate stat analysis tool might have insecurity woes and 
that should not be run on the production box.

I prefer[1] to have a seperator collector daemon, Phil's preference is 
to get unbound to do it as it argubly has already done 80% of the leg 
work.

Cheers

[1] BIND9 was all the rage, then djbdns, now unbound, tomorrow?

-- 
Alexander Clouter
.sigmonster says: pain, n.:
                  	One thing, at least it proves that you're alive!