allow query / allow recursion confusion

Clenna Lumina savagebeaste at yahoo.com
Tue Jun 26 02:10:00 UTC 2007 

Barry Margolin wrote:
> In article <f5pq11$19s9$1 at sf1.isc.org>,
> "Clenna Lumina" <savagebeaste at yahoo.com> wrote:
>
>> Barry Margolin wrote:
>>> You never mentioned that you were using VIEWS earlier.  That changes
>>> everything, because views implements separate virtual servers.  Each
>>> view has its own cache.
>>
>> I never mentioned it??
>>
>> Message-ID: <f5f47l$2hgj$1 at sf1.isc.org>
>>> And yes that name server (Bind 9.3.4) uses views,
>>> only allowing the internal view to issue recursive
>>> queries (recursion yes;) while the external only
>>> allows quering of zones the server is authoritative
>>> for (recursion no;)
>>
>> Message-ID: <f5fgj0$2oel$1 at sf1.isc.org>
>>> And before you say it, yes, "recursion: " is different
>>> as it doesn't use ACLs, unless you count "match-clients: "
>>> (ie, in a "view"), so it can be used in virtually the
>>> same way as allow-query[-cache] with out having to use
>>> two statements.
>>
>> Both times when I outlined my tests, I mentioned view. But it
>> shouldn't
>
> Sorry.  That was well into the thread, and I wasn't reading every
> message carefully.  The earlier messages that I'd replied to didn't
> mention views.
>
>> matter, as when "view" isn't explicitly used, the whole conf file is
>> global view, so you the same should work there. I'll even test that
>> in a few minutes. But my original test should still sufficiently
>> prove my point that "recursion: no;" does prevent cached lookups (on
>> my Bind
>> 9.3.4 server.)
>
> If you have "recursion: no" then NO ONE can recurse, so nothing will
> ever get into the cache in the first place.  The issue only arises
> when you use "allow-recursion" to block recursion selectively, rather
> than totally.

Arg, my point, though, is that, in conjuntion with Views, if you're 
using them, the match-clients + recursion: "yes" on one view and "no" on 
another minimics allow-recursion and allow-query[-cache] and my tests 
verified this.

The "Internal" view allowed resursive queries while the "External" side 
couldn't get squat, even if it _was_ cached.

>>> The answers we gave earlier assumed that the internal and external
>>> clients were in the same view (or no views were being used), and you
>>> were using "allow-recursion { internal; }".
>>
>> I never said I was using allow-recursion. Each time I said I was
>> using "recursion: no/yes" and I did mention views. I did compare
>> what I was using to using allow-recusion and allow-query[-cache],
>> but I never said I used them.
>>
>> Maybe you should do some checking next time :)
>
> Anyway, I hope my more recent responses explain why you were seeing
> what you saw, and how you would see the behavior we've described.  The
> non-recursers have to be in the same view as the recursers to have
> access to their cache updates.

Yet another reason to use "recursion " inside a view that uses 
"match-clients " rather than adding a allow-(recursion|query[-cache]) 
statements in each one, unless you need eahc of those types set to 
specific values.

-- 
CL

More information about the bind-users mailing list