Issues with setting recursive no in a view
Sten Carlsen
ccc2716 at vip.cybercity.dk
Fri Sep 30 02:28:43 UTC 2005
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
I noticed a bunch of forwarders, does that have any significance?
Mark Andrews wrote:
>>Our external DNS server (Bind 9.3.1) seems to be having problems. I have 2
>>views, 1 for local machines in the DMZ where the DNS server is located and
>>one for external users. If I set recursion to no in the external view
>>(preferred for security reasons) the domains I am authoritative for will
>>intermittently not respond with the proper information and it will instead
>>return the list of root name servers. This does not always happen on the
>>same domains. If I set recursion to yes, all domains always respond properly
>>and none return as non-authoritative. My named.conf file is included below.
>>We have several more domains than what is listed but I shortened it to keep
>>the message shorter.
>>
>>Thanks in advance for any advice.
>>
>>
>
> Make sure the dmz view has ALL the external zones.
>
> Normally I would expect 127.0.0.1 and ::1 to be in
> the match-clients acl for dmz.
>
>
>
>>-----
>>Kevin Van Der Hart
>>Systems Engineer
>>Vermeer Mfg Co
>>
>>
>>options {
>> directory "/usr/local/etc/namedb";
>> dump-file "named_dump.db";
>> statistics-file "named.stats";
>> version "YES";
>> forwarders { XXX.XXX.XXX.XXX; XXX.XXX.XXX.XXX; XXX.XXX.XXX.XXX;
>>XXX.XXX.XXX.XXX; };
>> allow-transfer { XXX.XXX.XXX.XXX; XXX.XXX.XXX.XXX; XXX.XXX.XXX.XXX;
>>XXX.XXX.XXX.XXX; XXX.XXX.XXX.XXX; };
>> pid-file "/usr/local/etc/namedb/named.pid";
>>};
>>
>>view "dmz" {
>> match-clients { XXX.XXX.XXX/24; };
>> recursion yes;
>> zone "." {
>> type hint;
>> file "root.cache";
>> };
>> zone "0.1.127.in-addr.arpa" {
>> type master;
>> file "0.1.127.db";
>> };
>> zone "vermeermfg.com" {
>> type master;
>> file "vermeermfg.com.db.dmz";
>> };
>> zone "vermeerdlr.com" {
>> type master;
>> file "vermeerdlr.com.db.dmz";
>> };
>> zone "106.168.192.in-addr.arpa" {
>> type master;
>> file "106.168.192.db.dmz";
>> };
>>};
>>
>>view "external" {
>> match-clients { any; };
>> recursion yes;
>> zone "vermeermfg.com" in {
>> type master;
>> file "vermeermfg.com.db";
>> };
>> zone "227.184.199.in-addr.arpa" in {
>> type master;
>> file "227.184.199.db";
>> };
>> zone "vermeermfg.net" in {
>> type master;
>> file "vermeermfg.net.db";
>> };
>> zone "vermeerdlr.com" in {
>> type master;
>> file "vermeerdlr.com.db";
>> };
>> zone "vermeer-international.com" in {
>> type master;
>> file "vermeer-international.com.db";
>> };
>> zone "vermeer.com" in {
>> type master;
>> file "vermeer.com.db";
>> };
>> zone "vermeerag.com" in {
>> type master;
>> file "vermeerag.com.db";
>> };
>>};
>>
>>-----
>>Kevin Van Der Hart
>>Systems Engineer
>>Vermeer Mfg Co
>>
>>
>>
>>
>--
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>
>
>
>
--
Best regards
Sten Carlsen
Let HIM who has an empty INBOX send the first mail.
More information about the bind-users
mailing list