Maintained by: NLnet Labs

[Unbound-users] [wishlist] unbound vs djbdns

Leen Besselink
Wed Jun 15 10:04:46 CEST 2011


On 06/14/2011 09:36 PM, Alexander Clouter wrote:
> Jaap Akkerhuis <jaap at nlnetlabs.nl> wrote:
>>>> For security reasons, you shouldn't really parse traffic on a 
>>>> production system, though you could write the logfile and do so 
>>>> offline.
>>    
>>> ...which would be a good reason for unbound to do the logging 
>>> itself. Unbound has already parsed the DNS packet, by necessity.
>> I don't understand this logic. For "security reason" one should not 
>> parse traffic on the production box, but it is OK that unbound (that 
>> is in prduction on this box) does parse it?
>>
> Unbound has already parsed the DNS payload so the security reason is 
> probably moot at that point.  I think $poster[-2] was hinting more 
> towards a seperate stat analysis tool might have insecurity woes and 
> that should not be run on the production box.
>
> I prefer[1] to have a seperator collector daemon, Phil's preference is 
> to get unbound to do it as it argubly has already done 80% of the leg 
> work.
>

Can't we have unbound push logging information to a seperate process
or something like that which handles the logging (which does no parsing).

That is what djbdns with deamontools probably does too I would expect.

> Cheers
>
> [1] BIND9 was all the rage, then djbdns, now unbound, tomorrow?
>