classless in-addr.arpa and recursion
Barry Margolin
barmar at bbnplanet.com
Thu Dec 2 18:20:55 UTC 1999
In article <38452CE6.2C3D7EFD at pheur.org>,
Evaldas Auryla <evaldas.auryla at pheur.org> wrote:
>Software: BIND 8.2.2-P5 server with some security options (recursive
>queries allowed only to local clients). This server is primary for some
>zone "X" and has delegated classless in-addr.arpa for that zone.
>
>Situation: Only local clients are able to resolve in-addr.arpa for that
>zone "X", external queries are refused, because recursion is disabled -
>it is however required for this zone to ask the secondary server
>(usually ISP) what does that a.some-subnet-mask.b.c.d resolves to (CNAME
>pointing to the real IP on ISPs server).
>
>Question: Is there any way to enable recursion for some zones
>(in-add.arpa) while keeping it off globally ?
Not as far as I know, but I don't think it should be necessary if you've
followed RFC2317 properly. The server for x.y.z.in-addr.arpa should return
the record:
w.x.y.z.in-addr.arpa. CNAME w.<subnet>.x.y.z.in-addr.arpa.
Then when the querier tries to look up w.<subnet>.x.y.z.in-addr.arpa, your
server should return a referral:
<subnet>.x.y.z.in-addr.arpa. NS <server for subnet>
Finally, the querier will then send its query for
w.<subnet>.x.y.z.in-addr.arpa to the subnet server. No recursion should be
necessary; in fact, when a remote nameserver is querying your server, it
shouldn't even have the Recursion Desired flag set (recursive servers
perform iterative queries).
--
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list