2012/8/22, Gabriel Kihlman <g...@stacken.kth.se>: > Chris Cappuccio <ch...@nmedia.net> writes: > >> I don't think the in-tree bind supports dnssec. > > Just for the archives; it does, I am using it.
It does not support NSEC3 records, which in today's world can result in bad queries (there's a hash inside of a readable domain name) and consequently in someone's website being inaccessible. There's a reason BIND is being updated, but unfortunately more reasons why it's not done so in OpenBSD base. Most of them have a CVE article already. If I were you, I'd consider BIND in our base as a legacy option and go straight for NSD. Seriously, it's just a matter of time before someone in your network notices this and will wonder why some websites load and others not. -- Martin Pelikan
