On 2010/08/16 08:46, Nicholas Marriott wrote: > cvsps is absolutely invaluable for this sort of stuff.
it is, but our changes to BIND are in areas which have seen quite a few changes upstream. > > On Mon, Aug 16, 2010 at 08:12:53AM +0200, Denis Fondras wrote: > > Hello, > > > > Following my previous message from July, 18th, I am back to BIND as > > my tests with nsd/unbound are not really conclusive (can't make both > > work with only one IP and they don't support views). single IP -> you could bind nsd to 127.0.0.1, and let unbound bind to other addresses on the system. have unbound forward-zone the relevant zones to the local nsd. or for simple setups, "local-zone" and "local-data" might be enough. as always with this configuration, you can end up serving bad data to resolver clients if a domain moves away before you change config. views -> it's a hack, but you can run multiple copies on alternative ports and use PF to redirect users to the correct instance based on source address. > > So I rolled up my sleeves and started to port OpenBSD changes to > > BIND-9.7.1-P2. Changing str-functions to strl-functions was the easy > > part :) > > Unfortunately, I have a hard time with privileges separation and > > port randomization. In fact I don't know where to place them. > > I made a diff between OpenBSD version and BIND-9.4.2-P2 and tried to > > port it to BIND-9.7.1-P2 but it seems there was a huge change in > > socket and pidfile handling. > > > > Is anyone willing to help understanding these changes ? unless you really understand the areas that have been modified in OpenBSD I feel you would be better served by making a straight port of a more recent bind 9. without full understanding, changes in this area are more likely to weaken than strengthen things...
