Recursion with in authoritative zone

Kevin Darcy kcd at daimlerchrysler.com
Fri Dec 20 18:50:02 UTC 2002


Do, Ho cao (NIH/CIT) wrote:

>NS.domainA.com (BIND 9.2.1) is an authoritative server for the domainA.com. 
>NS.domainA.com's configuration file does not allow recursive query by
>implementing the ACL list: "allow-recursion {recursive-list;};".
>
>Every thing successfully performs as expected.  
>Then the admin from domainB.com would like NS.domainA.com hosting
>domainB.com as a secondary name-server for domainB.com.  Unfortunately, the
>domainB.com zone also has a sub1.domainB.com which was delegated to
>NS.sub1.domainB.com.
>
>When the internet users query host1.sub1.domainB.com in name-server
>NS.domainA.com, NS.domainA.com refuses to answer because it is not
>authoritative for any host in the sub domain (sub1.domainB.com).
>
>The question is:
>
>1-Is there any option that can turn on recursive query for a specific
>sub-domain?  Realize that in this particular situation, the secondary server
>is authoritative for the domain not for the sub-domain.
>For Example:
>in the zone file on the primary name-server of domainB.com state that:
>	domainB.com. IN NS NS.domainA.com.
>	...
>	sub1.domainB.com. IN NS NS.sub1.domainB.com.
>	NS.sub1.domainB.com. IN A 123.231.123.231 (this is a fake IP)
>
>Therefore, even though the NS.domainA.com is authoritative for domainB.com,
>it does not have a record for host1.sub1.domainB.com.  In order to answer
>the query for host1.sub1.domainB.com, NS.domainA.com has to do recursive
>query that NS.domainA.com has instructed not to do so.
>
Who or what is going to be querying the nameserver? If other nameservers 
are going to be querying the nameserver because they have followed the 
domainB.com delegation, then those queries are going to be 
non-recursive, so turning on recursion won't help you anyway.

If you _really_ want to do this, you might have to abandon 
recursion-based access control, and instead open up recursion completely 
and control access via "allow-query" instead. Unlike "allow-recursion", 
"allow-query" can be set on a zone level.

Of course, the more straightforward solution is just to make yourself a 
slave for the subzone. Are they denying zone transfers to the 
nameservers of their own parent zone? Sounds like a dysfunctional family 
to me... :-)

                                                                        
                                                - Kevin





More information about the bind-users mailing list