allow-resursion stuff

Mipam mipam at
Wed Jun 7 23:10:08 UTC 2006

On Thu, 8 Jun 2006, Mark Andrews wrote:

> > Hi All,
> > 
> > The allow-recursion { trusted; }; is very nice.
> > However, isn't it true to when you haven't also got
> > allow-query { trusted; }; there is still an issue with just
> > allow-recursion? For example, suppose that somebody within the trusted range
> > did a query on, it'll be cached. Suppose that allow-query isn't set
> > and an external client does a query on he'll get a response because
> > the answer is still in the cache? Meaning that external clients can query
> > the specified domains which are defined in named.conf but also what is in
> > cache? I guess this issue will be addressed in bind 9.4.0 with
> > "allow-query-cache" ?
> 	You can achieve the same effect in earlier versions.  You just have
> 	allow-query { any; }; in every zone.

Ok, but I was trying to say that allow-recursion isn't enough to 
recursion when you haven't also got allow-query specified in versions 
below 9.4.0, because of the 
entries in cache that can still be viewed by external non trusted clients, 
so recursion can still be done for entries present in cache. So i guess in 
bind 9.4.0 allow-recursion + allow-query-cache can remedy this issue, 
allthough i'd also specify allow-query in the options section as well, 
cause then even without allow-query-cache there is no issue.
Point is that i don't see this issue described somewhere and that i am 
surprised over it and wondered why? Or maybe i am wrong in this 


More information about the bind-users mailing list