Multiple instances of BIND at startup

[Beat Siegenthaler]

Steve Bertrand wrote:
> 
> 
>> I believe that the problem is this: even if configured to be an
>> authoritative server, BIND will respond to a query about zones
>> outside what it has authoritative data for with data from its cache
>> if that data is present.  As there is only one cache per instance of
>> BIND, enabling any sort of recursive capability on a server that is
>> otherwise meant to be entirely authoritative can lead to data leaking
>> between the authoritative and recursive parts.  This opens up the
>> possibility of tricking a server into caching false data and responding
>> with it as if it was authoritative.

I cannot believe this, I want to research this myself (and the impact to 
my designs.

Maybe it is the time to give unbound a try:

[root at ATOM:/usr/ports/dns/unbound] # cat pkg-descr
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run as
a server, but are linked into an application) are easily possible.

Goals:
     * A validating recursive DNS resolver.
     * Code diversity in the DNS resolver monoculture.
     * Drop-in replacement for BIND apart from config.
     * DNSSEC support.
     * Fully RFC compliant.
     * High performance
           o even with validation.
     * Used as
           o stub resolver.
           o full caching name server.
           o resolver library.
     * Elegant design of validator, resolver, cache modules.
           o provide the ability to pick and choose modules.
     * Robust.
     * In C, open source: The BSD license.
     * Smallest as possible component that does the job.
     * Stub-zones can be configured (local data or AS112 zones).

Non-goals:
     * An authoritative name server.
     * Too many Features.

WWW: http://unbound.net