why setting view with recursion option is invalid in BIND 9.5.0-P1

Chris Buxton cbuxton at menandmice.com
Tue Sep 9 04:01:32 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sep 8, 2008, at 8:11 PM, Kevin Darcy wrote:
> zq wrote:
>> Hi,
>>
>> I have a problem about view {} with recursion option.I want the  
>> server query
>> all the domains in the internal.But it can't.
>> The configuration file as follows:
>> {
>>        /* make named use port 53 for the source of all queries, to  
>> allow
>>         * firewalls to block all ports except 53:
>>         */
>>        query-source    port 53;
>>        query-source-v6 port 53;
>>
>>        // Put files that named is allowed to write in the data/  
>> directory:
>>        directory "/var/named"; // the default
>>        dump-file               "data/cache_dump.db";
>>        statistics-file         "data/named_stats.txt";
>>        memstatistics-file      "data/named_mem_stats.txt";
>>        allow-recursion { any; };
>>        recursive-clients 1500;
>>        recursion true;
>>
>> };
>> logging
>> {
>> /*      If you want to enable debugging, eg. using the 'rndc trace'  
>> command,
>> *      named will try to write the 'named.run' file in the $directory
>> (/var/named).
>> *      By default, SELinux policy does not allow named to modify the
>> /var/named directory,
>> *      so put the default debug log file in data/ :
>> */
>>        channel default_debug {
>>                file "data/named.run";
>>                severity dynamic;
>>        };
>> };
>>
>> view "view_0cnc"
>> {
>> match-clients  { any; };
>> allow-recursion { any; };
>> recursion true;
>> zone "." {
>> type hint;
>> file "named.root";};
>>
>> zone "xxxxxx.com" {
>> type master;
>> file "named.xxxxxx.com";
>> allow-update { 127.0.0.1; };
>> };
>> };
>>
>> I try dig the master zone from the server ,it works fine.And I do  
>> named
>> -unamed -g ,it seems everything works well.Who can tell me the  
>> reason and
>> how can I fix it?
>> Thank you.
>>
>> Gelenbertang
>> DATE
>> 2008.9.9
>>
> First of all, "recursion true" is invalid syntax.

No, it's valid. It is equivalent to "recursion yes" or "recursion 1".

> Secondly, having only 1 view with "any" for match-clients, and no  
> other
> view-selection criteria, is completely useless and pointless. All of  
> the
> clients will get matched to that view, regardless of who/what/where  
> they
> are. You might as well have no views at all.
>
> Are you actually *hosting* any zones to the Internet? If not, then you
> don't really need a view. Just set the appropriate
> allow-query/allow-recursion/allow-query-cache for your clients'  
> address
> ranges, and define whatever internal zones you wish as authoritative.
>
> If you are hosting zones to the Internet, then create a separate view
> for that (call it e.g. "hosting" or "external"), with a "match- 
> clients {
> any; };" and "recursion no", and then place that view *after* the one
> which has a "match-clients" for your clients' address ranges, and  
> which
> they use for resolution.



It would be simpler, if the BIND version in use is 9.4.1-P1 or later,  
to not use views at all. Just use allow-recursion, which also implies  
the behavior of allow-query-cache (assuming the latter is not  
otherwise set), to control access to the cache.

Views should only be used when necessary, and with full understanding  
of their ups and downs.

One other note: The two "query-source{,-v6} port 53" statements should  
be removed. They are dangerous. "allow recursion { any; }" is also  
generally a bad idea.

Chris Buxton
Professional Services
Men & Mice

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkjF9RwACgkQ0p/8Jp6Boi2sAgCeKL0pTMHCPjFOSy5l886vl++A
o3gAn0m5Jc3ggFIbj+QW7fhWnodP+4l6
=ivA8
-----END PGP SIGNATURE-----


More information about the bind-users mailing list