allow query / allow recursion confusion

Barry Margolin barmar at alum.mit.edu
Tue Jun 26 01:49:07 UTC 2007 

In article <f5pq11$19s9$1 at sf1.isc.org>,
 "Clenna Lumina" <savagebeaste at yahoo.com> wrote:

> Barry Margolin wrote:
> > You never mentioned that you were using VIEWS earlier.  That changes
> > everything, because views implements separate virtual servers.  Each
> > view has its own cache.
> 
> I never mentioned it??
> 
> Message-ID: <f5f47l$2hgj$1 at sf1.isc.org>
> > And yes that name server (Bind 9.3.4) uses views,
> > only allowing the internal view to issue recursive
> > queries (recursion yes;) while the external only
> > allows quering of zones the server is authoritative
> > for (recursion no;)
> 
> Message-ID: <f5fgj0$2oel$1 at sf1.isc.org>
> > And before you say it, yes, "recursion: " is different
> > as it doesn't use ACLs, unless you count "match-clients: "
> > (ie, in a "view"), so it can be used in virtually the
> > same way as allow-query[-cache] with out having to use
> > two statements.
> 
> Both times when I outlined my tests, I mentioned view. But it shouldn't 

Sorry.  That was well into the thread, and I wasn't reading every 
message carefully.  The earlier messages that I'd replied to didn't 
mention views.

> matter, as when "view" isn't explicitly used, the whole conf file is 
> global view, so you the same should work there. I'll even test that in a 
> few minutes. But my original test should still sufficiently prove my 
> point that "recursion: no;" does prevent cached lookups (on my Bind 
> 9.3.4 server.)

If you have "recursion: no" then NO ONE can recurse, so nothing will 
ever get into the cache in the first place.  The issue only arises when 
you use "allow-recursion" to block recursion selectively, rather than 
totally.

> 
> 
> > The answers we gave earlier assumed that the internal and external
> > clients were in the same view (or no views were being used), and you
> > were using "allow-recursion { internal; }".
> 
> I never said I was using allow-recursion. Each time I said I was using 
> "recursion: no/yes" and I did mention views. I did compare what I was 
> using to using allow-recusion and allow-query[-cache], but I never said 
> I used them.
> 
> Maybe you should do some checking next time :)

Anyway, I hope my more recent responses explain why you were seeing what 
you saw, and how you would see the behavior we've described.  The 
non-recursers have to be in the same view as the recursers to have 
access to their cache updates.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list