How to allow recursion on my own (cross) domains only after upgrade to 9.16.27 (lack of additional-from-auth option) ?

Mark Andrews marka at isc.org
Mon Apr 18 08:08:45 UTC 2022 

Unless you are pointing recursive clients directly at your authoritative servers there is no need. The recursive servers will lookup the CNAME target themselves. Additionally recursive servers just process the CNAME and ignore the rest of the response to prevent cache poisoning if there is more there. 

-- 
Mark Andrews

> On 18 Apr 2022, at 17:57, Thomas Martin <tmartincpp at gmail.com> wrote:
> 
> Hello,
> 
> I recently upgraded from Debian Buster to Debian Bullseye and I'm
> having a hard time having the same behavior as before with the new
> bind9 version.
> 
> Here is my setup :
> - I have two DNS domain (domain A.com and domain Z.com) for which my
> server is authoritative (as a slave in this case),
> - A few of my DNS records on domain Z are CNAME to domain A.
> 
> My server configuration looks like this :
> zone "A.com" {
>    type slave;
>    file "A";
>    masters { a.b.c.d; };
> };
> zone "Z.com" {
>    type slave;
>    file "Z";
>    masters { a.b.c.d; };
> };
> 
> I don't want my server to be recursive but I would like him to answer
> the full CNAME and A like in 9.11.5 (thanks to additional-from-auth
> AFAIK) :
>> $ host www.Z.com 1.2.3.4
>> www.Z.com is an alias for www.A.com.
>> www.A.com has address 10.10.10.1
> 
> Now, with 9.16.27 my answer is only returning the CNAME record, not
> the A record despite being authoritative for both domains :
>> $ host www.Z.com 1.2.3.4
>> www.Z.com is an alias for www.A.com.
> 
> Is there any chance I can have the same behavior as before ?
> if I enable recursion it works of course, but I don't want my server
> to be a public resolver.
> I tried to play with the "minimal-responses" option with no luck.
> 
> 
> Thanks.
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list