query cache and BIND 9.4.1-P1

Jeff Reasoner jeff.reasoner at mail.hccanet.org
Fri Jul 27 19:22:37 UTC 2007


On a test server currently running bind 9.4.1 with nothing more than the
following in the named.conf options, I am able to provide recursive
nameserver functionality:

options {
        directory "/var/named";
        allow-transfer { 10.241.0.0/24; 10.245.11.0/24; };
        listen-on { 10.241.0.77; 127.0.0.1; };
        query-source address * port 53;
        allow-notify { 10.241.0.10; };
        notify no;
};

It seems that allow-recursion was still enabled globally in 9.4.(0/1) by
default until the P1 release.
I realize that we're basically saying the same thing - explicitly allow
recursion, or explicitly allow queries. However, the point is that with
this release, admins may well have to make a change to named.conf in
order to continue providing a recursive nameserver.

Jeff Reasoner
On Fri, 2007-07-27 at 14:34, Chris Buxton wrote:
> Starting in 9.4, the following have become the defaults:
> 
> allow-query-cache { localhost; localnets; };
> allow-recursion { localhost; localnets; };
> 
> Note that, starting in the most recent version, these two are linked  
> by default - you can set one, and if you don't set the other, the  
> other will be set to match. So all you need to do is:
> 
> allow-recursion { trusted-nets; };
> 
> This assumes you have defined a list of trusted networks as an ACL.  
> Otherwise, replace "trusted-nets" with the actual subnet(s) you  
> intend to allow recursion for.
> 
> Chris Buxton
> Men & Mice
> 
> On Jul 27, 2007, at 11:14 AM, Barry Finkel wrote:
> 
> > I was running BIND 9.3.4, and this morning on two of our four servers
> > I upgraded to BIND 9.4.1-P1.  On one interal DNS server I see in the
> > syslog:
> >
> >      Jul 27 10:25:05 dns1 named[12597]: [ID 873579 daemon.info]
> >        client 146.139.76.39#1825: query (cache) 'www.msn.com/A/IN'  
> > denied
> >
> > I see in the 9.4.1-P1 README file:
> >
> >         New option "allow-query-cache".  This lets allow-query be
> >         used to specify the default zone access level rather than
> >         having to have every zone override the global value.
> >         allow-query-cache can be set at both the options and view
> >         levels.  If allow-query-cache is not set allow-query applies.
> >
> > Would I need to make any configuration changes to allow my internal
> > clinets access to the 9.4.1-P1 DNS cache?  The README text above
> > sems to imply that I would not have to make any changes.  I have no
> >
> >      allow-query
> >
> > statements in the BIND 9.3.4 configuration file.
> > ----------------------------------------------------------------------
> > Barry S. Finkel
> > Computing and Information Systems Division
> > Argonne National Laboratory          Phone:    +1 (630) 252-7277
> > 9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
> > Building 222, Room D209              Internet: BSFinkel at anl.gov
> > Argonne, IL   60439-4828             IBMMAIL:  I1004994
> >
> >
> 
> 



More information about the bind-users mailing list