do I want/need allow-query-cache for local subnet?

aklist aklist_bind at enigmedia.com
Tue Aug 5 00:28:51 UTC 2008


On Mon, 4 Aug 2008 09:20:09 -0700 Chris Buxton <cbuxton at menandmice.com> wrote

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew,
> 
> Your ACL has a typo. It should say "127/8", not "127.8".

Thanks...that's a transcription typo :)

Thanks for the clarification of the rest as well.
> 
> You do not need an allow-query-cache statement in the internal view.
> There's almost never a reason to use that statement, actually. And if
> the server is on the 192.168.1/24 subnet, then you also do not need an
> allow-recursion statement.
> 
> You do not need any allow-query statements. The defaults are:
> 
> allow-query { any; };
> allow-query-cache { localhost; localnets; };
> allow-recursion { localhost; localnets; };
> 
> However, note that defining one of these may affect the defaults for
> others. For example, setting allow-query to be more restrictive than
> the defaults for the other two will restrict those two as well.
> Setting either allow-recursion or allow-query-cache will usually set
> the other to the same value.
> 
> Chris Buxton
> Professional Services
> Men & Mice
> 
> On Aug 3, 2008, at 9:15 AM, aklist wrote:
> 
> > Hi: I just upgraded from 9.2.3 to 9.5.0-P1. This NS happens to be in
> > a colo
> > facility, with only 6-7 web and mailservers NAT'd in it's local
> > subnet. I
> > have a view "internal" for these servers so they can "find" each
> > other using
> > their 192.168.1/24 addresses.
> >
> > I have ACLs set up for my local subnet and the "rest of world" as
> > follows:
> >
> >    acl "localsubnet" {192.168.1/24; 127.8; };
> >
> >    view "internal" {
> >        match-clients { "localsubnet"; };
> >       recursion yes;
> >       [zones]
> >    };
> >    view "external" {
> >       match-clients {any; };
> >       recursion no;
> >       [zones]
> >    };
> >
> > do I need to explicitly add an allow-query-cache statement to the
> > internal
> > view? Does it matter if local clients have access to the cache?
> > There's only
> > a 6-7 servers, but they may request RRs with some frequency.
> >
> > Do I need any allow-query statements or can I just let BIND default
> > to what
> > it wants to do?
> >
> >
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> 
> iEYEARECAAYFAkiXLDkACgkQ0p/8Jp6Boi2YEwCgmGBvOsSsB2d3bLKGRMVmKLBw
> bv4AoLQ7T2Ss42Ymn/2MY/v5LtdGpw+7
> =n1Kd
> -----END PGP SIGNATURE-----




More information about the bind-users mailing list