turning on recursion in bind 9.2.2 makes ssh login prompt slow

Kevin Darcy kcd at chrysler.com
Thu Jan 17 00:45:46 UTC 2008 

r37ribution at gmail.com wrote:
> Ok, awesome I made the change to named.root and it works great! Thank you so
> much everyone.
>
>
>   
>> Alan Clegg wrote:
>> Note that since you are in a controlled environment, I'd recommend that
>> you could also become authoritative for the zones that the inverses are
>> being queried against...
>>
>> In other words:  become the master of your domain.  :)
>>
>>     
>
> Please explain.
>
> When I run "dig +trace -x 209.85.137.83" I get the message below repeatedly
> until the "dig: Too many lookups" message:
> root at obms1-com-taylor-mi:/var/opt/dnsfiles# dig +trace -x 209.85.137.83
> ; <<>> DiG 9.2.2 <<>> +trace -x 209.85.137.83
> ;; global options:  printcmd
> .                       3600000 IN      NS
> obms1-com-taylor-mi.bms.n2bb.com.
> ;; Received 78 bytes from 168.84.1.194#53(168.84.1.194) in 1 ms
> .                       3600000 IN      NS
> obms1-com-taylor-mi.bms.n2bb.com.
> ;; Received 105 bytes from 168.84.1.194#53(obms1-com-taylor-mi.bms.n2bb.com)
> in 0 ms
> .                       3600000 IN      NS
> obms1-com-taylor-mi.bms.n2bb.com.
> ;; Received 105 bytes from 168.84.1.194#53(obms1-com-taylor-mi.bms.n2bb.com)
> in 0 ms
> .                       3600000 IN      NS
> obms1-com-taylor-mi.bms.n2bb.com.
> [message repeats]...
> ;; Received 105 bytes from 168.84.1.194#53(obms1-com-taylor-mi.bms.n2bb.com)
> in 0 ms
> .                       3600000 IN      NS
> obms1-com-taylor-mi.bms.n2bb.com.
> dig: Too many lookups
>
>
> I was hoping that if I post my named.conf and named.root if you see anything
> missing that should be there please let me know.
>
> named.root:
> .                        3600000  IN  NS    obms1-com-taylor-mi.bms.n2bb.com
> .
> obms1-com-taylor-mi.bms.n2bb.com.      3600000      A     168.84.1.194
> ; End of File
> named.conf:
> // BIND Version 9 configuration file.
> //
> options {
>        directory           "/var/opt/dnsfiles";
>        dump-file           "/var/opt/dnsfiles/tmp/named_dump.db";
>        pid-file            "/usr/local/run/named.pid";
>            // version statement for security to avoid hacking known
> weaknesses
>            version "not currently available";
>            recursion yes;
> };
> include "/etc/rndc.key";
> controls {
>         inet 127.0.0.1 allow {127.0.0.1; } keys { "rndc-key"; };
> };
> zone "." {
>        type hint;
>        file "named.root";
> };
> zone "bms.n2bb.com" in {
>   type master;
>   file "db.bms.n2bb.com";
>   // to allow salve transfers, add slave ips in place of 'none'
>   allow-transfer { any; };
> };
> zone "1.84.168.in-addr.arpa" in {
>   type master;
>   file "db.168.84.1";
>   // to allow salve transfers, add slave ips in place of 'none'
>   allow-transfer { any; };
> };
> zone "localhost" in {
>   type master;
>   file "localhost.zone";
> };
> zone "0.0.127.in-addr.arpa" in {
>   type master;
>   file "named.local";
> };
>   
Since this is an isolated network, set up the root zone as *master*, not 
hint. There's no point in "hint"ing at a root zone, if there's nothing 
on your network that actually serves that zone authoritatively; you're 
sending dig +trace on a fool's errand...

                                                                         
                        - Kevin

More information about the bind-users mailing list