Issues with setting recursive no in a view

Fri Sep 30 01:19:04 UTC 2005

> Our external DNS server (Bind 9.3.1) seems to be having problems. I have 2
> views, 1 for local machines in the DMZ where the DNS server is located and
> one for external users. If I set recursion to no in the external view
> (preferred for security reasons) the domains I am authoritative for will
> intermittently not respond with the proper information and it will instead
> return the list of root name servers. This does not always happen on the
> same domains. If I set recursion to yes, all domains always respond properly
> and none return as non-authoritative. My named.conf file is included below.
> We have several more domains than what is listed but I shortened it to keep
> the message shorter.
> 
> Thanks in advance for any advice.

	Make sure the dmz view has ALL the external zones.

	Normally I would expect 127.0.0.1 and ::1 to be in
	the match-clients acl for dmz.
 
> -----
> Kevin Van Der Hart
> Systems Engineer
> Vermeer Mfg Co
> 
> 
> options {
>       directory "/usr/local/etc/namedb";
>       dump-file "named_dump.db";
>       statistics-file "named.stats";
>       version "YES";
> 	forwarders { XXX.XXX.XXX.XXX; XXX.XXX.XXX.XXX; XXX.XXX.XXX.XXX;
> XXX.XXX.XXX.XXX; };
> 	allow-transfer { XXX.XXX.XXX.XXX; XXX.XXX.XXX.XXX; XXX.XXX.XXX.XXX;
> XXX.XXX.XXX.XXX; XXX.XXX.XXX.XXX; };
> 	pid-file "/usr/local/etc/namedb/named.pid";
> };
> 
> view "dmz" {
>         match-clients { XXX.XXX.XXX/24; };
>         recursion yes;
>         zone "." {
>                 type hint;
>                 file "root.cache";
>         };
>         zone "0.1.127.in-addr.arpa" {
>                 type master;
>                 file "0.1.127.db";
>         };
> 	zone "vermeermfg.com" {
>        		type master;
>        		file "vermeermfg.com.db.dmz";
> 	};
> 	zone "vermeerdlr.com" {
>        		type master;
>        		file "vermeerdlr.com.db.dmz";
> 	};
> 	zone "106.168.192.in-addr.arpa" {
>        		type master;
>        		file "106.168.192.db.dmz";
> 	};
> };
> 
> view "external" {
>         match-clients { any; };
>         recursion yes;
> 	zone "vermeermfg.com" in {
>        		type master;
>         	file "vermeermfg.com.db";
> 	};
> 	zone "227.184.199.in-addr.arpa" in {
>         	type master;
>         	file "227.184.199.db";
> 	};
> 	zone "vermeermfg.net" in {
>         	type master;
>         	file "vermeermfg.net.db";
> 	};
> 	zone "vermeerdlr.com" in {
>         	type master;
>         	file "vermeerdlr.com.db";
> 	};
> 	zone "vermeer-international.com" in {
>         	type master;
>         	file "vermeer-international.com.db";
> 	};
> 	zone "vermeer.com" in {
>         	type master;
>         	file "vermeer.com.db";
> 	};
> 	zone "vermeerag.com" in {
>         	type master;
>         	file "vermeerag.com.db";
> 	};
> };
> 
> -----
> Kevin Van Der Hart
> Systems Engineer
> Vermeer Mfg Co
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org