Best allow-query setting on an authoritative-only nameserver
Chris Thompson
cet1 at hermes.cam.ac.uk
Thu Apr 19 22:34:38 UTC 2007
On Apr 3 2007, I asked:
>The scenario is a nameserver with "recursion no" in options and
>each zone statement having its own explicit "allow-query" setting
>(mostly "any"). This is intended only as an authoritative server
>for a number of zones.
>
>Question: what is the best setting for "allow-query" in options,
>which applies only to queries not in any of those zones? Or perhaps
>better, what are the pros and cons of "allow-query {none;};" versus
>"allow-query {any;};" in this context? Is it better to reply REFUSED
>or to give a referral to the root nameservers? (I suppose one should
>also distinguish between "better for us" and "better for them".)
Thanks are due to those who followed up (Kevin, Ronan, Peter) even
if there was no clear concensus. ("Go not to the elv... I mean, the
bind-users mailing list, for advice, for they will say both yes and no.")
At the moment I am using "any", which seems to be how most authoritative-only
nameservers out there are configured.
There's one oddity, though: the referral isn't always to the root nameservers.
For example, queries about foobar.com get the root referral, but ones for
foobar.edu get one for the .edu nameservers (with the right NS records).
None of the zones for which the nameserver is authoitative are in either
.com or .edu, so why the difference? How do such things get into the cache
in the first place, for a nameserver with "recursion no" set?
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list