On Tue, Jul 30, 2013, at 7:45, Garrett Wollman wrote: > > There are plenty of situations in which a remote recursive resolver is > untrustworthy. (Some would say any situation.) It doesn't have to be > BIND, but people do legitimately want the normal DNS diagnostic > utilities, which sadly have been tied together with BIND for some > years now. (I don't know why anyone would ever use nslookup(1), but > host(1) and dig(1) are pretty much essential.) >
If you're that paranoid about a remote resolver you'd have to be paranoid about someone doing a MITM on your DNS lookups altogether, since even having your own local recursor can't protect you from that as 99% of the web doesn't use DNSSEC. This will quickly turn into a security yak-shaving contest, but I completely understand your viewpoint. I'd vote for keeping the bind utilities in base; I use them every day. The ones provided with unbound work well, but finger memory... _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
