Private Zones and Deligation bind9.7.2
Martin McCormick
martin at dc.cis.okstate.edu
Mon Dec 6 17:30:22 UTC 2010
Barry Margolin writes:
> Do you have recursion enabled on your server?
A good question. I have never explisitly disabled it and
it appears to be on.
We have an allow-query list based on ACL's so that
callers from inside our networks get both recursive and
nonrecursive lookups. Spammer1.somewhereelse.com looking up
poorsucker.hooville.org gets nothing but can still spam us since
all our zones allow anyone to do lookups against their zone
data. The problem is that lookups to this private zone are
still coming from the networks that should allow full
functionality. the config for this private zone is:
zone "r.ds" {
type master;
file "/etc/namedb/master/r.ds.zone";
allow-update {
key updsrv;
};
allow-query { any; };
#a list of slaves
include "/etc/zoneconfigs/stwnotify";
notify yes;
};
In the global named.conf file, I do not set any
directives regarding recursion. The characters "recur" do not
even appear in the file so I always assumed recursion was turned
on. Status checks on a busy day usually show 50 to 100 recursive
clients active at any given time but I think you may have
possibly hit on what is biting me.
Martin
More information about the bind-users
mailing list