some definitions of terms im searching for

Sat Sep 9 03:02:30 UTC 2006

Jonathan Horne wrote:
> i was reading the article on bind and views with master/slaves here:
>
> http://www.oreillynet.com/pub/a/oreilly/networking/news/views_0501.html
>
> and i saw:
>
>         recursion yes;
>         recursion no;
>
> ...with yes being allowed on internal views, and no for external views.  what 
> exactly is recursion and what does it affect from the clients point of view 
> or operation?
>   
When a resolver provides "recursive" service to a client that requests 
it, what that means is that it will do all of the work of resolving that 
query -- which may mean making several queries of its own to various 
nameservers or possibly one or more other resolvers -- and then passing 
an answer, or, if no answer is available, an error indication, back to 
the client. Recursive resolvers are therefore much more complex 
programs/subsystems, and generally work a lot harder at DNS, than "stub" 
resolvers, such as one might find on a regular desktop or laptop PC 
running Windows, which only generate recursive queries and then parse 
the responses they get back from those queries.

Note that a resolver itself may make recursive queries to another 
resolver, if it is set up to "forward" all queries, or some specific set 
of queries. It is thus possible to set up resolvers in a cascade, 
although this is generally considered bad architecture, since it doesn't 
scale well (the resolvers at the apex of the forwarding hierarchy tend 
to get hammered) and in practice tends to be not very resilient to 
failures (each step in the hierarchy can be considered another potential 
Point of Failure).
> my second question was the:
>
>          allow-transfer { any; };
>          allow-transfer { none; };
>
> ...also used within internal and external respectively.  how exactly do those 
> affect a client?  i did notice that my slave was unable to transfer 
> the 'none' zone until i changed 'none' to 'ip-alias-of-slave'.  
The 'none' zone? I think you're misunderstanding the syntax of that 
substatement. What's inside the curly braces there identifies a 
particular set of zone-transfer *clients*, not zones. You can use either 
addresses or TSIG keys to identify the clients of interest. 
"allow-transfer { any; };" means that all clients are allowed to 
transfer, "allow-transfer { none; };" means that no clients are allowed 
to transfer.

The way that you restrict transfers on a zone-by-zone basis is not to 
specify a zone in the curly braces of the "allow-transfer" substatement, 
but to place the "allow-transfer" within the zone definition itself, e.g.

zone "example.com" {
type master;
file "example.com";
allow-transfer { 1.2.3.4; };
};

This would restrict transfers of the "example.com" zone to only the 
client at address 1.2.3.4. If you wanted a "global" restriction on zone 
transfers you'd put that allow-transfer substatement within the 
"options" substatement. This "global" restriction could then be 
overridden on a zone-by-zone basis if you desired.
> i would 
> assume that having just a single ip listed (of my slave) is basically the 
> same as 'none' security wise, 
No, it means the slave is allowed to transfer, but no-one else is. With 
"none" in that position, no client is allowed to transfer, not even the 
slave.

Bear in mind that there is nothing "automatic" about identifying the 
slaves for a zone, for purposes of allowing or disallowing zone-transfer 
access. Just because a particular box may show up in the apex NS records 
for a zone, for instance, or in the delegation NS records, doesn't mean 
the slave is automatically permitted for zone transfers. You'd have to 
explicitly allow the slave to transfer, if your default is to disallow 
zone transfers. Note that the default, when no allow-transfer statements 
are present in named.conf, is "allow-transfer { any; };" for all zones, 
i.e. zone transfers completely open. So you don't need to define that at 
a global level if you don't feel like it.

- Kevin