On 2 August 2016 at 19:50, Evan Hunt <e...@isc.org> wrote:

> On Tue, Aug 02, 2016 at 05:04:33PM -0400, Matthew Pounsett wrote:
> > Yes it will.  But, as far as I understand, it uses the recursive code
> paths
> > to do that, and won't consult resolv.conf.  Yes?
>
> Correct. However, an option to use the system resolver for this instead
> is a feature request we've been considering.
>
> The reason: Whenever we find a security bug that affects recursive
> operation only, someone who runs an auth-only server inevitably asks
> whether their system is affected, and we always have to say, "well,
> *probably* not, but recursive code *is* sometimes used in authoritative
> servers in order to blah blah etc" and it might be nice to just say no.
>

I'd suggest another reason:  the auth server should be subject to the same
resolution path/rules as other software in the network.  If, for example,
I've got some resolution exception configured in my local recursive servers
(such as a per-zone forwarding rule) it seems likely I'd want the
authoritative server to follow that without having to also configure it
into the authoritative server.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to