do I want/need allow-query-cache for local subnet?
Chris Buxton
cbuxton at menandmice.com
Mon Aug 4 16:20:09 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andrew,
Your ACL has a typo. It should say "127/8", not "127.8".
You do not need an allow-query-cache statement in the internal view.
There's almost never a reason to use that statement, actually. And if
the server is on the 192.168.1/24 subnet, then you also do not need an
allow-recursion statement.
You do not need any allow-query statements. The defaults are:
allow-query { any; };
allow-query-cache { localhost; localnets; };
allow-recursion { localhost; localnets; };
However, note that defining one of these may affect the defaults for
others. For example, setting allow-query to be more restrictive than
the defaults for the other two will restrict those two as well.
Setting either allow-recursion or allow-query-cache will usually set
the other to the same value.
Chris Buxton
Professional Services
Men & Mice
On Aug 3, 2008, at 9:15 AM, aklist wrote:
> Hi: I just upgraded from 9.2.3 to 9.5.0-P1. This NS happens to be in
> a colo
> facility, with only 6-7 web and mailservers NAT'd in it's local
> subnet. I
> have a view "internal" for these servers so they can "find" each
> other using
> their 192.168.1/24 addresses.
>
> I have ACLs set up for my local subnet and the "rest of world" as
> follows:
>
> acl "localsubnet" {192.168.1/24; 127.8; };
>
> view "internal" {
> match-clients { "localsubnet"; };
> recursion yes;
> [zones]
> };
> view "external" {
> match-clients {any; };
> recursion no;
> [zones]
> };
>
> do I need to explicitly add an allow-query-cache statement to the
> internal
> view? Does it matter if local clients have access to the cache?
> There's only
> a 6-7 servers, but they may request RRs with some frequency.
>
> Do I need any allow-query statements or can I just let BIND default
> to what
> it wants to do?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkiXLDkACgkQ0p/8Jp6Boi2YEwCgmGBvOsSsB2d3bLKGRMVmKLBw
bv4AoLQ7T2Ss42Ymn/2MY/v5LtdGpw+7
=n1Kd
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list