BIND slow to start without localhost name resolution

[Mark Andrews]

> I have a CentOS3 server running BIND 9.4.2 acting as an authorities name
> server for a domain. It was also performing recursive lookups for other
> machines in the same subnet, but this is no longer desirable as I was
> informed that external machines can still use its name cache even if
> they're not on the allow-recursion ACL (they just can't initiate new
> name lookups) so long as recursive lookups are allowed for more machines
> than none, and as this machine is not exactly a resource beast I would
> rather disable recursive lookups.

	I suspect you are misinformed.  Allow-query-cache and
	allow-recursion cross inherit from each other.

	If you have a older version of named you can still achieve
	the desired behaviour by setting allow-query at the
	options/view level to the value of the allow-recursion acl
	and then set allow-query acl to "any;" in all of the zones.

	Allow-query-cache was introduced in BIND 9.4 to make this
	easier.

	So either you are not running the version you say you are
	or you have also set allow-query-cache to allow non-recursors
	to access the cache.
 
	Mark

> Problem is, once all this is done I then remove 0.0.0.0 from the
> resolv.conf file and now when the BIND daemon starts rather than being
> almost instant it can sit from 5-15 minutes before firing up.
> 
> Should I be settings allow-recursion { none; }; and then leaving 0.0.0.0
> in the resolv.conf file? If so, why does BIND require this for a speedy
> start-up? As the machine never needs to resolve names within its own
> domain, I'd like it to bypass itself.
> 
> Paul Cocker
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org