On 2 August 2016 at 19:50, Evan Hunt <e...@isc.org> wrote: > On Tue, Aug 02, 2016 at 05:04:33PM -0400, Matthew Pounsett wrote: > > Yes it will. But, as far as I understand, it uses the recursive code > paths > > to do that, and won't consult resolv.conf. Yes? > > Correct. However, an option to use the system resolver for this instead > is a feature request we've been considering. > > The reason: Whenever we find a security bug that affects recursive > operation only, someone who runs an auth-only server inevitably asks > whether their system is affected, and we always have to say, "well, > *probably* not, but recursive code *is* sometimes used in authoritative > servers in order to blah blah etc" and it might be nice to just say no. >
I'd suggest another reason: the auth server should be subject to the same resolution path/rules as other software in the network. If, for example, I've got some resolution exception configured in my local recursive servers (such as a per-zone forwarding rule) it seems likely I'd want the authoritative server to follow that without having to also configure it into the authoritative server.
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
