allow query / allow recursion confusion
Clenna Lumina
savagebeaste at yahoo.com
Fri Jun 22 03:38:28 UTC 2007
Kal Feher wrote:
> The allow-query behaviour changed with 9.4
> Allow-query-cache was added and is specific to the cache.
> I note you tested on 9.3, I dont believe the statement
> allow-query-cache was available on that release, hence your counter
> intuitive results.
How are my results counter-intuitive? They were exactly as expected and
with one line of code (per view.)
You really avoided my question too. My examples (below, quoted)
demonstrate that the "recursion: no;" does stop cached queries as well,
so this seems for cleaner that having allow-query and allow-query-cache
at the same time.
And before you say it, yes, "recursion: " is different as it doesn't use
ACLs, unless you count "match-clients: " (ie, in a "view"), so it can be
used in virtually the same way as allow-query[-cache] with out having to
use two statements.
I just want to know what is so wrong with my aproach?
--
CL
> On 22/6/07 10:09 AM, "Clenna Lumina" <savagebeaste at yahoo.com> wrote:
>
>> Kal Feher wrote:
>>> On 21/6/07 1:14 PM, "Clenna Lumina" <savagebeaste at yahoo.com> wrote:
>>>
>>>>
>>>> Doesn't setting
>>>>
>>>> recursion no;
>>>>
>>>> do that too?
>>> No, I'll elaborate below from the 9.4 ARM:
>>>
>>> "allow-recursion
>>>
>>> Note that disallowing recursive queries for a host does not prevent
>>> the host from retrieving data that is already in the server's
>>> cache."
>>>
>>> and
>>>
>>> "recursion
>>>
>>> Note that setting recursion no does not prevent clients from
>>> getting data from the server's cache; it only prevents new data from
>>> being cached as an effect of client queries. Caching may still occur
>>> as an effect the server's internal operation, such as NOTIFY address
>>> lookups."
>>>
>>> So we now use:
>>>
>>> "allow-query-cache
>>>
>>> Specifies which hosts are allowed to get answers from the cache.
>>> The default is the builtin acls localnets and localhost. "
>>>
>>
>> Sorry, I should been more clear. Using "recursion no;" in the scope
>> of a "view" seems to prevent _any_ resursive queries.
>>
>> * * *
>>
>> I even did a test using my bind 9.3.4 server that masters some zones.
>>
>> From a remote ssh connection, I queried my server:
>>
>> 1) Queried one of the zones's it's authoritative for. Ok, that works.
>>
>> 2) Queried yahoo.com, got back a list of root servers (dig), nothing
>> more.
>>
>> 3a) on a local console, queried yahoo.com against the same bind
>> server, got 2 IPs for yahoo.com, 7 NS's (2 of which return A records
>> in the ADDITIONAL field.)
>>
>> 3b) sent the same query again from the remote console for yahoo.com,
>> got a list of root servers fro mdig agian, nothign changed.
>>
>> And yes that name server (Bind 9.3.4) uses views, only allowing the
>> internal view to issue recursive queries (recursion yes;) while the
>> external only allows quering of zones the server is authoritative for
>> (recursion no;)
>>
>> * * *
>>
>> Works like a charm, nothing is taken from cache, so can you please
>> clarify how one would be able to get something out of my cache (like
>> google.com, etc) ?
>
> --
> Kal Feher
--
CL
More information about the bind-users
mailing list