Allowing recursion for just specific zones

Brian Candler B.Candler at pobox.com
Mon May 10 12:35:57 UTC 2010 

Hello,

I am trying to configure a bind9 view to allow recursion just for certain
domains. (This is bind-9.2.4-16.EL4 under RHEL4).

In fact, it doesn't even have to be real recursion, just forwarding to an
upstream recursive nameserver.  The point is that the clients are only
authorised to look up names under a handful of domains, and the rest should
be denied.

However, the various attempts I've tried have failed so far. As far as I can
tell:

1. "recursion no" can only be set at the top (view) level, not overridden
   at the zone level.

2. If I set "recursion no" at the view level, then a "type forward"
   zone has no effect:

  view "foo" {
    recursion no;
    ...
    zone "example.com" {
      type forward;
      forward only;
      forwarders {192.0.2.1;};
    };

-- query for foo.example.com returns only referral to root servers
   (i.e. it is not forwarded)

3. If I make the view authoritative for the root zone, then a "type forward"
   zone also has no effect:

  view "foo" {
    recursion yes;
    ...
    zone "." {
      type master;
      file "named.zero";   // just SOA
      allow-update {none;};
    };
    zone "example.com" {
      type forward;
      forward only;
      forwarders {192.0.2.1;};
    };

-- query for foo.example.com gives NXDOMAIN and the root SOA

4. Setting forwarders to an empty list at the top level doesn't prevent
forwarding, it just falls back to normal recursive lookup instead.

  view "foo" {
    recursion yes;
    forward only;
    forwarders {};
    ..
    zone "example.com" {
      type forward;
      forward only;
      forwarders {192.0.2.1;};
    };

-- queries for bar.example.com are forwarded as expected
-- queries for baz.anythingelse.com are looked up recursively, which
   is what I'm trying to prevent :-(

5. I don't have AXFR access to the upstream zones, so making the server
a slave for these zones is not an option.

At the moment the best I can do is to forward to a non-existent IP in the
top level, which makes unauthorised queries time out - clearly not ideal.

Anyone have any better suggestions?

Many thanks,

Brian.

More information about the bind-users mailing list