Date: Fri, 06 Dec 2013 23:17:45 -0800 From: Darren Pilgrim <list_freebsd@bluerosetech.com> To: Mark Andrews <marka@isc.org> Cc: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <52A2CB99.5050900@bluerosetech.com> In-Reply-To: <20131206223300.89253B55861@rock.dv.isc.org> References: <529D9CC5.8060709@rancid.berkeley.edu> <20131204095855.GY29825@droso.dk> <alpine.BSF.2.00.1312041212000.2022@badger.tharned.org> <E915D8A5-1CD0-465B-BAD1-59C45C9415F4@gid.co.uk> <20131205193815.05de3829de9e33197fe210ac@getmail.no> <20131206143944.4873391d@suse3> <20131206220016.BADCAB556F4@rock.dv.isc.org> <1386367748.17212.56515229.7C50AFEB@webmail.messagingengine.com> <20131206223300.89253B55861@rock.dv.isc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/6/2013 2:33 PM, Mark Andrews wrote: > In message <1386367748.17212.56515229.7C50AFEB@webmail.messagingengine.com>, Ma > rk Felder writes: >> On Fri, Dec 6, 2013, at 16:00, Mark Andrews wrote: >>> >>> But they should all be running a resursive validating resolver on >>> every box. >> >> Are you *really* suggesting that I should run a recursive validating >> server on every single server I admin? > > I'm suggesting that it should be run on *every* machine in the > world, until all the applications that use data from the DNS have > been upgraded to validate the data they get from the DNS, need to > be be running a validating resolver. Yes, everything needs a validating resolver; but everything only needs something behind getaddrinfo() that validates the responses provided by the servers listed in /etc/resolv.conf. BIND and Unbound do not operate as forwarding servers by default and we really do not want everything running its own root-hinted resolver.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52A2CB99.5050900>