[Unbound-users] [wishlist] unbound vs djbdns
Alexander Clouter
alex at digriz.org.uk
Tue Jun 14 19:36:56 UTC 2011
Jaap Akkerhuis <jaap at nlnetlabs.nl> wrote:
>
> > > For security reasons, you shouldn't really parse traffic on a
> > > production system, though you could write the logfile and do so
> > > offline.
>
> > ...which would be a good reason for unbound to do the logging
> > itself. Unbound has already parsed the DNS packet, by necessity.
>
> I don't understand this logic. For "security reason" one should not
> parse traffic on the production box, but it is OK that unbound (that
> is in prduction on this box) does parse it?
>
Unbound has already parsed the DNS payload so the security reason is
probably moot at that point. I think $poster[-2] was hinting more
towards a seperate stat analysis tool might have insecurity woes and
that should not be run on the production box.
I prefer[1] to have a seperator collector daemon, Phil's preference is
to get unbound to do it as it argubly has already done 80% of the leg
work.
Cheers
[1] BIND9 was all the rage, then djbdns, now unbound, tomorrow?
--
Alexander Clouter
.sigmonster says: pain, n.:
One thing, at least it proves that you're alive!
More information about the Unbound-users
mailing list