forwarder and allow-query

Kevin Darcy kcd at daimlerchrysler.com
Thu Jan 20 03:28:46 UTC 2000 

allow-query isn't permitted with zones of type forward. You should be
seeing

    'allow-query' option for non-{master,slave,stub} zone
'ch.firm-internal.com'

messages in your syslog about this, followed by the "did not
validate" message. The documentation also indicates that this
combination is not supported.

If you don't want the full burden of being a slave, you could be just a
stub instead. From the documentation, it would appear that allow-query
is permitted with stub zones.

*Why* the combination is forbidden, I'm not entirely sure. Possibly it's
because the forwarding mechanism is currently doing double duty, i.e. to
enable forwarding, or -- with the "forwarders {}" syntax -- to *disable*
forwarding for a particular domain hierarchy, and maybe it's considered
too messy to try and figure out which ACL would apply at what level of
the hierarchy...


- Kevin

Thomas Stalder wrote:

> First thanks for the hints to idendify my forwarder problem.
> Compiling the newest Bind but running the distributed version
> coming with Solaris was not very smart of me :-)
> Now I'm running into the next trap. Below you find what I tried
> to do on our name server in the DMZ for an internal zone.
> Why does'nt the 3rd example work?
>
> Thanks a lot, Thomas
> -------
> Following works fine (which I probably will stick to):
>
> zone "ch.firm-internal.com" in {
>      type slave;
>      file "/var/named/db.ch.pwcinternal.com";
>      masters {
>      10.41.66.193;
>      };
>      allow-query {
>           10.41/16;
>           192.22.22.96/27;
>      };
> };
> -------
> This works as well (forwarding to internal name server, open
> to the public):
>
> zone "ch.firm-internal.com" in {
>      type forward;
>      forward only;
>      forwarders {
>           10.41.66.193;
>      };
> };
> -------
> Following seems to be buggy. The name server tries to find
> the address in the Internet instead forwarding to the
> 'internal name server':
>
> zone "ch.firm-internal.com" in {
>      type forward;
>      forward only;
>      forwarders {
>           10.41.66.193;
>      };
>      allow-query {
>           10.41/16;
>           192.22.22.96/27;
>      };
> };

More information about the bind-users mailing list