On Thu, May 22, 2008 at 08:13:03AM -0400, Steve Bertrand wrote: > > >>The "match-destination" inspects the DNS address used by the client to > >>query to determine which view to use. Would this suit your purpose? > > Well, yes, it would suit the purpose, but my fear was exactly that of > what Matthew states below about 'leaking'. > > >I believe that the problem is this: even if configured to be an > >authoritative server, BIND will respond to a query about zones > >outside what it has authoritative data for with data from its cache > >if that data is present. As there is only one cache per instance of > >BIND, enabling any sort of recursive capability on a server that is > >otherwise meant to be entirely authoritative can lead to data leaking > >between the authoritative and recursive parts. This opens up the > >possibility of tricking a server into caching false data and responding > >with it as if it was authoritative.
If this were true, the "view" feature would be broken. I've just tried this with a client-based ACL, and there doesn't appear to any cache-leaking across views. Any counter-examples would be welcome. Cheers. -- Jonathan Chen <[EMAIL PROTECTED]> ---------------------------------------------------------------------- Experience is a hard teacher because she gives the test first, the lesson afterwards _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"