allow query / allow recursion confusion

Clenna Lumina savagebeaste at yahoo.com
Tue Jun 26 01:21:02 UTC 2007 

Barry Margolin wrote:
> In article <f5or2j$t4$1 at sf1.isc.org>,
> "Clenna Lumina" <savagebeaste at yahoo.com> wrote:
>
>> Kal Feher wrote:
>>> From the 9.3 ARM
>>> "Note that setting recursion no does not prevent clients from
>>> getting data from the server's cache; it only prevents new data
>>> from being cached as an effect of client queries"
>>>
>>>
>>> specifically:
>>> To barry's email saying that allow-query-cache now did what
>>> allow-recursion was thought to do, you said "recursion no" did this.
>>> It does not, as clearly stated in the ARM excerpt above. Yes it
>>> seems cleaner, but no it doesn't work.
>>
>> Doesn't work? My setup seems to disagree with you as I does my test
>> which I posted. I set the "external" view to have "recursion: no"
>> while setting the same to "yes" for the "internal".
>>
>> Each view is properly ACL'ed inthe match-clients clause.
>>
>> I can look up any domain fro mthe "internal" side, but from any
>> terminal on the "external" side (read: anywhere else on the
>> internet) I cannot look up any domains other then what my server is
>> authoritative for. Even if I looks up, say "yahoo.com" on the
>> "internal" side and immediately thereafter attempt the same lookup
>> against my name server from an "external" terminal (I ssh'ed into a
>> remote system), I cannot get anything other than a list of root
>> servers. No "yahoo.com" records, cahced or otherwise.
>>
>> Bottom line: cached responses are not available when "resursion: no"
>> is used. After the first lookup on the "internal" side, an repeat
>> queries are instant, so they are being cached.
>
> You never mentioned that you were using VIEWS earlier.  That changes
> everything, because views implements separate virtual servers.  Each
> view has its own cache.

I never mentioned it??

Message-ID: <f5f47l$2hgj$1 at sf1.isc.org>
> And yes that name server (Bind 9.3.4) uses views,
> only allowing the internal view to issue recursive
> queries (recursion yes;) while the external only
> allows quering of zones the server is authoritative
> for (recursion no;)

Message-ID: <f5fgj0$2oel$1 at sf1.isc.org>
> And before you say it, yes, "recursion: " is different
> as it doesn't use ACLs, unless you count "match-clients: "
> (ie, in a "view"), so it can be used in virtually the
> same way as allow-query[-cache] with out having to use
> two statements.

Both times when I outlined my tests, I mentioned view. But it shouldn't 
matter, as when "view" isn't explicitly used, the whole conf file is 
global view, so you the same should work there. I'll even test that in a 
few minutes. But my original test should still sufficiently prove my 
point that "recursion: no;" does prevent cached lookups (on my Bind 
9.3.4 server.)


> The answers we gave earlier assumed that the internal and external
> clients were in the same view (or no views were being used), and you
> were using "allow-recursion { internal; }".

I never said I was using allow-recursion. Each time I said I was using 
"recursion: no/yes" and I did mention views. I did compare what I was 
using to using allow-recusion and allow-query[-cache], but I never said 
I used them.

Maybe you should do some checking next time :)

-- 
CL

More information about the bind-users mailing list