do I want/need allow-query-cache for local subnet?

Chris Buxton cbuxton at menandmice.com
Mon Aug 4 16:20:09 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew,

Your ACL has a typo. It should say "127/8", not "127.8".

You do not need an allow-query-cache statement in the internal view.  
There's almost never a reason to use that statement, actually. And if  
the server is on the 192.168.1/24 subnet, then you also do not need an  
allow-recursion statement.

You do not need any allow-query statements. The defaults are:

allow-query { any; };
allow-query-cache { localhost; localnets; };
allow-recursion { localhost; localnets; };

However, note that defining one of these may affect the defaults for  
others. For example, setting allow-query to be more restrictive than  
the defaults for the other two will restrict those two as well.  
Setting either allow-recursion or allow-query-cache will usually set  
the other to the same value.

Chris Buxton
Professional Services
Men & Mice

On Aug 3, 2008, at 9:15 AM, aklist wrote:

> Hi: I just upgraded from 9.2.3 to 9.5.0-P1. This NS happens to be in  
> a colo
> facility, with only 6-7 web and mailservers NAT'd in it's local  
> subnet. I
> have a view "internal" for these servers so they can "find" each  
> other using
> their 192.168.1/24 addresses.
>
> I have ACLs set up for my local subnet and the "rest of world" as  
> follows:
>
>    acl "localsubnet" {192.168.1/24; 127.8; };
>
>    view "internal" {
>        match-clients { "localsubnet"; };
>       recursion yes;
>       [zones]
>    };
>    view "external" {
>       match-clients {any; };
>       recursion no;
>       [zones]
>    };
>
> do I need to explicitly add an allow-query-cache statement to the  
> internal
> view? Does it matter if local clients have access to the cache?  
> There's only
> a 6-7 servers, but they may request RRs with some frequency.
>
> Do I need any allow-query statements or can I just let BIND default  
> to what
> it wants to do?
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkiXLDkACgkQ0p/8Jp6Boi2YEwCgmGBvOsSsB2d3bLKGRMVmKLBw
bv4AoLQ7T2Ss42Ymn/2MY/v5LtdGpw+7
=n1Kd
-----END PGP SIGNATURE-----

More information about the bind-users mailing list