views, recursion, and allow-recursion
Alan Clegg
Alan_Clegg at isc.org
Sun Jun 22 22:05:20 UTC 2008
R Dicaire wrote:
> allow-recursion { 192.168.1.0/24; ! 0.0.0.0;};
>
> acl "internal" {192.168.1.0/24;};
>
> view "internal" {
> match-clients { internal; };
> recursion yes;
> allow-transfer { internal; ! 0.0.0.0; };
> internal zone defs;
> };
>
> View "external" {
> match-clients { any; };
> recursion no;
> external zone defs;
> };
> Lookups based on the views acls show me the views configuration seems
> to be working. Local clients can lookup addresses fine, nothing
> appears to be amiss. What exactly does this syslog message mean?
It means that you are mixing access control methods for recursion.
Since your internal ACL matches what you were using in
"allow-recursion", just change the "allow-recursion" in global options
to "recursion no;" and allow the view based "recursion yes;" (internal)
and "recursion no;" (external) to override it.
Note that !0.0.0.0 ("none") is added to every ACL expansion, so you
don't need it in the example above.
Just for good measure, you may want to change the external match-clients to:
match-clients { !internal; any; };
AlanC
More information about the bind-users
mailing list