On 06/14/2011 09:36 PM, Alexander Clouter wrote: > Jaap Akkerhuis <[email protected]> wrote: >>>> For security reasons, you shouldn't really parse traffic on a >>>> production system, though you could write the logfile and do so >>>> offline. >> >>> ...which would be a good reason for unbound to do the logging >>> itself. Unbound has already parsed the DNS packet, by necessity. >> I don't understand this logic. For "security reason" one should not >> parse traffic on the production box, but it is OK that unbound (that >> is in prduction on this box) does parse it? >> > Unbound has already parsed the DNS payload so the security reason is > probably moot at that point. I think $poster[-2] was hinting more > towards a seperate stat analysis tool might have insecurity woes and > that should not be run on the production box. > > I prefer[1] to have a seperator collector daemon, Phil's preference is > to get unbound to do it as it argubly has already done 80% of the leg > work. >
Can't we have unbound push logging information to a seperate process or something like that which handles the logging (which does no parsing). That is what djbdns with deamontools probably does too I would expect. > Cheers > > [1] BIND9 was all the rage, then djbdns, now unbound, tomorrow? > _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
