[Unbound-users] [wishlist] unbound vs djbdns

Alexander Clouter alex at digriz.org.uk
Tue Jun 14 19:36:56 UTC 2011

Jaap Akkerhuis <jaap at nlnetlabs.nl> wrote:
> > > For security reasons, you shouldn't really parse traffic on a 
> > > production system, though you could write the logfile and do so 
> > > offline.
> > ...which would be a good reason for unbound to do the logging 
> > itself. Unbound has already parsed the DNS packet, by necessity.
> I don't understand this logic. For "security reason" one should not 
> parse traffic on the production box, but it is OK that unbound (that 
> is in prduction on this box) does parse it?
Unbound has already parsed the DNS payload so the security reason is 
probably moot at that point.  I think $poster[-2] was hinting more 
towards a seperate stat analysis tool might have insecurity woes and 
that should not be run on the production box.

I prefer[1] to have a seperator collector daemon, Phil's preference is 
to get unbound to do it as it argubly has already done 80% of the leg 


[1] BIND9 was all the rage, then djbdns, now unbound, tomorrow?

Alexander Clouter
.sigmonster says: pain, n.:
                  	One thing, at least it proves that you're alive!

More information about the Unbound-users mailing list