allow query or recursive?
Chris Buxton
cbuxton at menandmice.com
Tue Jun 2 04:39:28 UTC 2009
On Jun 1, 2009, at 11:28 PM, Barry Margolin wrote:
> Allow-query allows the clients to query the zones that your server is
> authoritative for.
>
> Allow-recursion allows them to request recursion, which is needed to
> look up names in remote zones.
>
> Allow-query-cache allows them to query the data that's in the cache
> due
> to some client previously requesting recursion.
That's not quite right.
allow-query governs who can send *any* query to the server, not just
queries against authoritative data. If a query is blocked by this ACL,
the response sent back is empty (no records), with the RCODE set to
REFUSED.
allow-recursion and allow-query-cache now default to behave like each
other. In other words, if one is set but not the other, the behavior
is as if both were set to the same ACL. Therefore, there's almost
never any reason to set allow-query-cache - just use allow-recursion
for both, unless you truly have a use for allowing someone access to
the cache who does not also have permission to send recursive queries
to the server.
allow-query-cache was added in BIND 9.4. Previously, the only control
on cached data was allow-query.
If a query is blocked by allow-query-cache, the response is REFUSED,
as with allow-query. If it passes allow-query-cache but is blocked by
allow-recursion (an unusual situation these days), the query is
handled as if it were not recursive.
The defaults if no values are set at all:
allow-query { any; };
allow-query-cache { localhost; localnets; };
allow-recursion { localhost; localnets; };
My guess is that the OP was being tripped up by the default for allow-
recursion.
Chris Buxton
Professional Services
Men & Mice
More information about the bind-users
mailing list