forwarding but no recursion?

Michael Milligan milli at acmeps.com
Thu Jan 22 00:58:39 UTC 2009 

etirado.ext at orange-ftgroup.com wrote:
> Hello,
> 
> Is this possible to disable recursion for all incoming queries except
> for those listed in zone statement with a forwarder.
> 
> I know that no forwarding is allowed if we disable recursion.
> 
> Something like this ( but this doesn't work I know ):
> 
> I can't match people so I can't create a view.

> options {
>
> 	allow-query { any; };
> 	allow-query-cache { none; };
> 	allow-recursion { none; };
>
> };
>
> zone "example.fr" {
>
> 	type forward;
> 	forwarders { x.x.x.x; };
> 	forward only;
> };

Then what you really have is an architectural issue you need to sort out.

Recursion is needed on name servers so dumb resolvers (end systems...
e.g., PCs and laptops) can use them, which also means it will ask
questions of other authoritative name servers and cache intermediate
data.  Forward-type zones are essentially an extension of this, just for
jump-starting recursive resolution at a different starting point that is
not visible following the usual delegation path.  You should only ever
need to use a forward-type zone to get around a firewall.

If you have recursion turned off, then you have caching turned off and
thus can only be serving authoritative data (and no other data is
retrieved elsewhere via queries, via forwarding or recursion).

These two situations serve two very different functions.  If you are
trying to mix these two functions (resolving server, authoritative
server), then you have to be able to either segment each into either a
view (where queries come in on the same interface), or segment by using
multiple interfaces for receiving/sending queries and run two instances
of named for each function, or (most commonly) just run these functions
on two completely different machines.

If I were to guess, it looks like you are constructing an authoritative
server, because of "allow-recursion { none; };".  Why can't you do this
to get the data for the example.fr zone?

zone "example.fr" {
	type slave;
	masters { x.x.x.x; };
};

If you really are trying to get around a firewall, then this server is a
resolving server anyway (serving end systems) and thus you would need
recursion turned on...

Regards,
Mike

-- 
Michael Milligan                                   -> milli at acmeps.com

More information about the bind-users mailing list