2012/8/22, Gabriel Kihlman <[email protected]>: > Chris Cappuccio <[email protected]> writes: > >> I don't think the in-tree bind supports dnssec. > > Just for the archives; it does, I am using it.
It does not support NSEC3 records, which in today's world can result in bad queries (there's a hash inside of a readable domain name) and consequently in someone's website being inaccessible. There's a reason BIND is being updated, but unfortunately more reasons why it's not done so in OpenBSD base. Most of them have a CVE article already. If I were you, I'd consider BIND in our base as a legacy option and go straight for NSD. Seriously, it's just a matter of time before someone in your network notices this and will wonder why some websites load and others not. -- Martin Pelikan
