Created attachment 208727 [details]
Let's add new option ACCFDNS to the port dns/bind914 that allows BIND to prefer accf_dns over accf_data, if accf_dns is available. The patch was submitted upstream by David Malone 7 years ago but ignored:
The option is disabled by default, so default built is not affected and PORTREVISION not changed.
Created attachment 208728 [details]
I do not think this is a good idea. DNS is hard, and I do not feel confident about anything else than BIND9 deciding if what it receives is a valid DNS packet.
The option is disabled by default, why don't we add it for users that know what they do?
Is this relevant for dns/bind916 too?
(In reply to Rene Ladan from comment #4)
It is relevant for bind916 even more, because this version disabled usage of dataready accept filter too. However, the patch needs correction. I can correct it if maintainer is willing to accept the idea.
I've had the options always in my kernels, unsure if it truly was deployed by vendors. My guess about that turns out to be correct.
In the 9.14 case it looked like improvement.
But in the 9.16 case... why was accf_data dropped?
My thought is it maybe is better to patch this upstream, at ISC.
So, in the days that Paul Vixie still had an email address ending on isc.org he wrote "acceptfilter(9) is almost ideal. accf_dns(9) would be even better"
Makes me wonder even more: why was it never adopted / always ignored?
Committed to 9.11, 9.14 was removed, and in 9.16, the socket code was rewritten and the accept filters are no longer used. (They are in a #if 0 section of the code.)
A commit references this bug:
Date: Wed Aug 26 13:32:33 UTC 2020
New revision: 546284
Add an option to use the DNS accept filter if available.
Submitted by: eugen