allow query / allow recursion confusion
Barry Margolin
barmar at alum.mit.edu
Tue Jun 26 01:49:07 UTC 2007
In article <f5pq11$19s9$1 at sf1.isc.org>,
"Clenna Lumina" <savagebeaste at yahoo.com> wrote:
> Barry Margolin wrote:
> > You never mentioned that you were using VIEWS earlier. That changes
> > everything, because views implements separate virtual servers. Each
> > view has its own cache.
>
> I never mentioned it??
>
> Message-ID: <f5f47l$2hgj$1 at sf1.isc.org>
> > And yes that name server (Bind 9.3.4) uses views,
> > only allowing the internal view to issue recursive
> > queries (recursion yes;) while the external only
> > allows quering of zones the server is authoritative
> > for (recursion no;)
>
> Message-ID: <f5fgj0$2oel$1 at sf1.isc.org>
> > And before you say it, yes, "recursion: " is different
> > as it doesn't use ACLs, unless you count "match-clients: "
> > (ie, in a "view"), so it can be used in virtually the
> > same way as allow-query[-cache] with out having to use
> > two statements.
>
> Both times when I outlined my tests, I mentioned view. But it shouldn't
Sorry. That was well into the thread, and I wasn't reading every
message carefully. The earlier messages that I'd replied to didn't
mention views.
> matter, as when "view" isn't explicitly used, the whole conf file is
> global view, so you the same should work there. I'll even test that in a
> few minutes. But my original test should still sufficiently prove my
> point that "recursion: no;" does prevent cached lookups (on my Bind
> 9.3.4 server.)
If you have "recursion: no" then NO ONE can recurse, so nothing will
ever get into the cache in the first place. The issue only arises when
you use "allow-recursion" to block recursion selectively, rather than
totally.
>
>
> > The answers we gave earlier assumed that the internal and external
> > clients were in the same view (or no views were being used), and you
> > were using "allow-recursion { internal; }".
>
> I never said I was using allow-recursion. Each time I said I was using
> "recursion: no/yes" and I did mention views. I did compare what I was
> using to using allow-recusion and allow-query[-cache], but I never said
> I used them.
>
> Maybe you should do some checking next time :)
Anyway, I hope my more recent responses explain why you were seeing what
you saw, and how you would see the behavior we've described. The
non-recursers have to be in the same view as the recursers to have
access to their cache updates.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list