per-zone-recursion?

Kevin Darcy kcd at chrysler.com
Thu Sep 30 23:13:11 UTC 2010 

Per-zone recursion control doesn't exist in BIND, because frankly it 
doesn't make sense.

Either a zone type is meaningless *without* recursion (type forward, 
type stub), or recursion is *unnecessary* because the nameserver answers 
from authoritative data (type master, type slave).

Put another way, have you thought through exactly what you want to 
happen if a client queries something not specifically carved out for 
recursion, e.g. isc.org?

The response from a BIND instance, when recursion is denied or not 
requested, is always either (as per Section 4.3.1 of RFC 1034):
a) an answer from authoritative data,
b) an answer from cache
c) a negative-caching response,
d) a (0 answers) referral, or
e) some sort of "non-response", like an error (SERVFAIL) or an 
administrative rejection of the query (REFUSED)

If (a) doesn't apply (because not authoritative) and neither does (b) 
(because how can answers be cached in the first place if recursion is 
being denied?), that leaves (c) through (e), none of which are 
particularly useful to the client. So you might as well REFUSE queries 
outside of zones for which recursion is not explicitly enabled. 
Configure "allow-query { none; };" as the default followed by specific 
exceptions for the zones you want to "open up", e.g., dynsup.example.net.

                                                                         
                                                                         
         - Kevin

On 9/30/2010 5:09 AM, Joerg Dorchain wrote:
> Hello,
>
> I am puzzled with a bind config for a kind of dns-reverse-proxy situation.
>
> I have a server with only one public IP addresse, bind running on
> port 53 of it.
> This bind serves examples.net. A subdomain dynsub.example.net
> should be served on some other software answering DNS request
> with dynamically generated answers.
>
> I can create a forward zone like this
> zone "dynsup.example.net" {
>    type forward;
>    forward only;
>    forwarders { 127.0.0.1 port 5353; };
> };
>
> which works fine in the way that it forwards all queries to and
> all answers from the other DNS software running on port 5353, but
> - this is problem - only if the view with the statement allows
> recursion.
>
> For several reasons I do not want to answer all queries for all
> domains recursivly, just those for that one zone.
>
> When I turn recursion off, bind answers with a referal to itself
> (glue records work ;-), which in this case is not helpful.
>
> Does anybody have an idea on how I can persuade bind to answer
> only this zone recusivly?
>
> TIA,
>
> Joerg
>
>    
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100930/bf534e32/attachment.html>

More information about the bind-users mailing list