why setting view with recursion option is invalid in BIND 9.5.0-P1

Kevin Darcy kcd at chrysler.com
Tue Sep 9 03:11:51 UTC 2008 

zq wrote:
> Hi,
>  
> I have a problem about view {} with recursion option.I want the server query
> all the domains in the internal.But it can't.
> The configuration file as follows:
> {
>         /* make named use port 53 for the source of all queries, to allow
>          * firewalls to block all ports except 53:
>          */
>         query-source    port 53;
>         query-source-v6 port 53;
>  
>         // Put files that named is allowed to write in the data/ directory:
>         directory "/var/named"; // the default
>         dump-file               "data/cache_dump.db";
>         statistics-file         "data/named_stats.txt";
>         memstatistics-file      "data/named_mem_stats.txt";
>         allow-recursion { any; };
>         recursive-clients 1500;
>         recursion true;
>  
> };
> logging
> {
> /*      If you want to enable debugging, eg. using the 'rndc trace' command,
>  *      named will try to write the 'named.run' file in the $directory
> (/var/named).
>  *      By default, SELinux policy does not allow named to modify the
> /var/named directory,
>  *      so put the default debug log file in data/ :
>  */
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
>
> view "view_0cnc"
> {
> match-clients  { any; };
> allow-recursion { any; };
> recursion true;
> zone "." {
> type hint;
> file "named.root";};
>  
> zone "xxxxxx.com" {
> type master;
> file "named.xxxxxx.com";
> allow-update { 127.0.0.1; };
> };
> };
>
> I try dig the master zone from the server ,it works fine.And I do named
> -unamed -g ,it seems everything works well.Who can tell me the reason and
> how can I fix it?
> Thank you.
>  
> Gelenbertang
> DATE
> 2008.9.9
>   
First of all, "recursion true" is invalid syntax.

Secondly, having only 1 view with "any" for match-clients, and no other 
view-selection criteria, is completely useless and pointless. All of the 
clients will get matched to that view, regardless of who/what/where they 
are. You might as well have no views at all.

Are you actually *hosting* any zones to the Internet? If not, then you 
don't really need a view. Just set the appropriate 
allow-query/allow-recursion/allow-query-cache for your clients' address 
ranges, and define whatever internal zones you wish as authoritative.

If you are hosting zones to the Internet, then create a separate view 
for that (call it e.g. "hosting" or "external"), with a "match-clients { 
any; };" and "recursion no", and then place that view *after* the one 
which has a "match-clients" for your clients' address ranges, and which 
they use for resolution.

                                                                         
                     - Kevin

More information about the bind-users mailing list