On Thu, May 22, 2008 at 08:13:03AM -0400, Steve Bertrand wrote:
>
> >>The "match-destination" inspects the DNS address used by the client to
> >>query to determine which view to use. Would this suit your purpose?
>
> Well, yes, it would suit the purpose, but my fear was exactly that of
> what Matthew states below about 'leaking'.
>
> >I believe that the problem is this: even if configured to be an
> >authoritative server, BIND will respond to a query about zones
> >outside what it has authoritative data for with data from its cache
> >if that data is present. As there is only one cache per instance of
> >BIND, enabling any sort of recursive capability on a server that is
> >otherwise meant to be entirely authoritative can lead to data leaking
> >between the authoritative and recursive parts. This opens up the
> >possibility of tricking a server into caching false data and responding
> >with it as if it was authoritative.
If this were true, the "view" feature would be broken. I've just tried
this with a client-based ACL, and there doesn't appear to any
cache-leaking across views. Any counter-examples would be welcome.
Cheers.
--
Jonathan Chen <[EMAIL PROTECTED]>
----------------------------------------------------------------------
Experience is a hard teacher
because she gives the test first, the lesson afterwards
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
