questions on bind cache with views

Cathy Almond cathya at isc.org
Thu Dec 17 14:16:55 UTC 2009 

Young H. wrote:
> On Thu, Dec 17, 2009 at 6:59 PM, Mark Andrews <marka at isc.org> wrote:
>> In message <35686be10912170139j3d89c414n1da84870b47c9dba at mail.gmail.com>, "Youn
>> g H." writes:
>>> Hello,
>>>
>>> I have config the bind-9.6.1 with multi-views and "recursion yes".
>>> But I found bind always deny the query to its cache, the log shows:
>>>
>>> Dec 17 17:30:42 localhost named[15603]: client 113.96.221.24#54412:
>>> view tel: query: www.126.com IN A +
>>> Dec 17 17:30:42 localhost named[15603]: client 113.96.221.24#54412:
>>> view tel: query (cache) 'www.126.com/A/IN' denied
>> You need to look at your acl settings.  Named default to allowing
>> local machines to recurse.
>>
>> allow-query-cache
>>        Specifies which hosts are allowed to get answers from the
>>        cache. If allow-query-cache is not set then allow-recursion
>>        is used if set, otherwise allow-query is used if set unless
>>        recursion no; is set in which case none; is used, otherwise
>>        the default (localnets; localhost;) is used.
>>
> 
> Thanks for all.
> My english is not good enough to understand for the statement above.
> Does it mean I have to set both allow-query-cache and allow-recursion,
> or either of them?
> Thank again.

There are three configuration settings that are relevant to what you're
trying to do.

allow-query - this controls who is allowed to query the nameserver at
all.  The default if undefined is to allow any.

allow-recursion - this controls who is allowed to make recursive queries
of your nameserver.  Usually you don't want everyone to be able to do
this which is why the default behaviour is restrictive.

allow-query-cache - this one is subtle - it controls who is allowed to
be given answers from cached data.  That's not quite the same as
allow-recursion because if the answer is not available in cache the
nameserver won't go out to find it.

Both allow-recursion and allow-query-cache default to each other (if one
is specified but not the other).

If neither is specified, but allow-query IS defined (in other words it
doesn't just default), then they both use what is set in allow-query.

If nothing at all is defined, then (with recursion yes;) they both
default to { localhost; localnets; };

Therefore to make recursion work for you, you need to configure one of
allow-recursion and allow-query-cache.

If you want to make a difference between access to cache and to
recursion, then you need to configure both allow-query-cache and
allow-recursion.

Currently with none of them specified at all you are getting this:

allow-query { any; };
allow-query-cache { localhost; localnets; };
allow-recursion { localhost; localnets; };

The behaviour of all of these settings is described in the Administrator
Reference Manual (ARM) which is distributed with BIND and is also
available on the ISC website:

https://www.isc.org/software/bind/documentation

More information about the bind-users mailing list