[Unbound-users] [wishlist] unbound vs djbdns
Leen Besselink
leen at consolejunkie.net
Wed Jun 15 08:04:46 UTC 2011
On 06/14/2011 09:36 PM, Alexander Clouter wrote:
> Jaap Akkerhuis <jaap at nlnetlabs.nl> wrote:
>>>> For security reasons, you shouldn't really parse traffic on a
>>>> production system, though you could write the logfile and do so
>>>> offline.
>>
>>> ...which would be a good reason for unbound to do the logging
>>> itself. Unbound has already parsed the DNS packet, by necessity.
>> I don't understand this logic. For "security reason" one should not
>> parse traffic on the production box, but it is OK that unbound (that
>> is in prduction on this box) does parse it?
>>
> Unbound has already parsed the DNS payload so the security reason is
> probably moot at that point. I think $poster[-2] was hinting more
> towards a seperate stat analysis tool might have insecurity woes and
> that should not be run on the production box.
>
> I prefer[1] to have a seperator collector daemon, Phil's preference is
> to get unbound to do it as it argubly has already done 80% of the leg
> work.
>
Can't we have unbound push logging information to a seperate process
or something like that which handles the logging (which does no parsing).
That is what djbdns with deamontools probably does too I would expect.
> Cheers
>
> [1] BIND9 was all the rage, then djbdns, now unbound, tomorrow?
>
More information about the Unbound-users
mailing list