On Mon, Jan 20, 2014 at 05:15:24PM +0000, Nick Hilliard wrote: > On 20/01/2014 17:12, Simon Perreault wrote: > > IIRC, recent versions of Bind open a socket per address on IPv4 > > this feature was one of the main reasons I stopped using BIND. It has the > side effect that you cannot necessarily set it up on a system which shares > IP addresses using e.g. VRRP, because you cannot be guaranteed that the > system will have the virtual IP address configured at the time that BIND > starts. Frustrating.
That has a reason: After Kaminsky attacks people looked how they can get more entropy into dns requests and one thing is to spread the dns requests over each address family's possible IPs each with an randomized ports. It's not only bind which behaves like that, IIRC unbound does this too. Greetings, Hannes
