turning on recursion in bind 9.2.2 makes ssh login prompt slow
Kevin Darcy
kcd at chrysler.com
Thu Jan 17 00:45:46 UTC 2008
r37ribution at gmail.com wrote:
> Ok, awesome I made the change to named.root and it works great! Thank you so
> much everyone.
>
>
>
>> Alan Clegg wrote:
>> Note that since you are in a controlled environment, I'd recommend that
>> you could also become authoritative for the zones that the inverses are
>> being queried against...
>>
>> In other words: become the master of your domain. :)
>>
>>
>
> Please explain.
>
> When I run "dig +trace -x 209.85.137.83" I get the message below repeatedly
> until the "dig: Too many lookups" message:
> root at obms1-com-taylor-mi:/var/opt/dnsfiles# dig +trace -x 209.85.137.83
> ; <<>> DiG 9.2.2 <<>> +trace -x 209.85.137.83
> ;; global options: printcmd
> . 3600000 IN NS
> obms1-com-taylor-mi.bms.n2bb.com.
> ;; Received 78 bytes from 168.84.1.194#53(168.84.1.194) in 1 ms
> . 3600000 IN NS
> obms1-com-taylor-mi.bms.n2bb.com.
> ;; Received 105 bytes from 168.84.1.194#53(obms1-com-taylor-mi.bms.n2bb.com)
> in 0 ms
> . 3600000 IN NS
> obms1-com-taylor-mi.bms.n2bb.com.
> ;; Received 105 bytes from 168.84.1.194#53(obms1-com-taylor-mi.bms.n2bb.com)
> in 0 ms
> . 3600000 IN NS
> obms1-com-taylor-mi.bms.n2bb.com.
> [message repeats]...
> ;; Received 105 bytes from 168.84.1.194#53(obms1-com-taylor-mi.bms.n2bb.com)
> in 0 ms
> . 3600000 IN NS
> obms1-com-taylor-mi.bms.n2bb.com.
> dig: Too many lookups
>
>
> I was hoping that if I post my named.conf and named.root if you see anything
> missing that should be there please let me know.
>
> named.root:
> . 3600000 IN NS obms1-com-taylor-mi.bms.n2bb.com
> .
> obms1-com-taylor-mi.bms.n2bb.com. 3600000 A 168.84.1.194
> ; End of File
> named.conf:
> // BIND Version 9 configuration file.
> //
> options {
> directory "/var/opt/dnsfiles";
> dump-file "/var/opt/dnsfiles/tmp/named_dump.db";
> pid-file "/usr/local/run/named.pid";
> // version statement for security to avoid hacking known
> weaknesses
> version "not currently available";
> recursion yes;
> };
> include "/etc/rndc.key";
> controls {
> inet 127.0.0.1 allow {127.0.0.1; } keys { "rndc-key"; };
> };
> zone "." {
> type hint;
> file "named.root";
> };
> zone "bms.n2bb.com" in {
> type master;
> file "db.bms.n2bb.com";
> // to allow salve transfers, add slave ips in place of 'none'
> allow-transfer { any; };
> };
> zone "1.84.168.in-addr.arpa" in {
> type master;
> file "db.168.84.1";
> // to allow salve transfers, add slave ips in place of 'none'
> allow-transfer { any; };
> };
> zone "localhost" in {
> type master;
> file "localhost.zone";
> };
> zone "0.0.127.in-addr.arpa" in {
> type master;
> file "named.local";
> };
>
Since this is an isolated network, set up the root zone as *master*, not
hint. There's no point in "hint"ing at a root zone, if there's nothing
on your network that actually serves that zone authoritatively; you're
sending dig +trace on a fool's errand...
- Kevin
More information about the bind-users
mailing list