why setting view with recursion option is invalid in BIND 9.5.0-P1
Kevin Darcy
kcd at chrysler.com
Tue Sep 9 03:11:51 UTC 2008
zq wrote:
> Hi,
>
> I have a problem about view {} with recursion option.I want the server query
> all the domains in the internal.But it can't.
> The configuration file as follows:
> {
> /* make named use port 53 for the source of all queries, to allow
> * firewalls to block all ports except 53:
> */
> query-source port 53;
> query-source-v6 port 53;
>
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named"; // the default
> dump-file "data/cache_dump.db";
> statistics-file "data/named_stats.txt";
> memstatistics-file "data/named_mem_stats.txt";
> allow-recursion { any; };
> recursive-clients 1500;
> recursion true;
>
> };
> logging
> {
> /* If you want to enable debugging, eg. using the 'rndc trace' command,
> * named will try to write the 'named.run' file in the $directory
> (/var/named).
> * By default, SELinux policy does not allow named to modify the
> /var/named directory,
> * so put the default debug log file in data/ :
> */
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> view "view_0cnc"
> {
> match-clients { any; };
> allow-recursion { any; };
> recursion true;
> zone "." {
> type hint;
> file "named.root";};
>
> zone "xxxxxx.com" {
> type master;
> file "named.xxxxxx.com";
> allow-update { 127.0.0.1; };
> };
> };
>
> I try dig the master zone from the server ,it works fine.And I do named
> -unamed -g ,it seems everything works well.Who can tell me the reason and
> how can I fix it?
> Thank you.
>
> Gelenbertang
> DATE
> 2008.9.9
>
First of all, "recursion true" is invalid syntax.
Secondly, having only 1 view with "any" for match-clients, and no other
view-selection criteria, is completely useless and pointless. All of the
clients will get matched to that view, regardless of who/what/where they
are. You might as well have no views at all.
Are you actually *hosting* any zones to the Internet? If not, then you
don't really need a view. Just set the appropriate
allow-query/allow-recursion/allow-query-cache for your clients' address
ranges, and define whatever internal zones you wish as authoritative.
If you are hosting zones to the Internet, then create a separate view
for that (call it e.g. "hosting" or "external"), with a "match-clients {
any; };" and "recursion no", and then place that view *after* the one
which has a "match-clients" for your clients' address ranges, and which
they use for resolution.
- Kevin
More information about the bind-users
mailing list