recursion

[Kevin Darcy]

On 3/10/2010 4:45 PM, ic.nssip wrote:
> I've got the idea!
> So even I have no statement "recursion yes", the server is still 
> recursive as time I dont specify "recursion no;"
> It is going to make no difference if I'll add "recursion yes;" on 
> options.
No difference.
>
> Is "localnets" a term I really need to use?
It's predefined. Read the ARM.
>
> Currently I'm using an ACL defined for "acl custnets { x.x.x.x; };" 
> and "allow-query { custnets; };"
>
> Should I change the name "custnets" to "localnets"?
If they're numerically  the same thing, then it would just be a matter 
of personal preference. If they're different, then it would depend on 
one's implementation requirements whether it's ok to switch one for the 
other. We don't have enough information about your implementation 
requirements to give a definitive answer one way or the other.

Note that both "localnets" and "localhost" can change dynamically, if 
network interfaces are brought up and/or taken down.
> Is my customized name "custnets" going to affect recursion in any way 
> if I use it instead of "localnets"?

If running BIND 9.4.x or higher, "allow-query { custnets; }" will affect 
one's allow-recursion default if "custnets" is (or _becomes_, as a 
result of interfaces being brought up and/or taken down) in any way 
numerically different from "{ localnets; localhost; }".

(Of course, a query that's REFUSED will never get a chance to recurse, 
but one can override a *global* allow-query at the zone level, so it 
still makes sense for allow-recursion to cross-inherit from allow-query)

If all of this is confusing, then I would recommend explicitly setting 
all of them -- allow-query, allow-query-cache, allow-recursion. Then you 
don't need to constantly guess at what is inheriting from where.

                                                                         
                                                 - Kevin