norecursion on external zone, but how do I allow CNAMEs to be fully resolved?

Tory M Blue tmblue at
Fri May 20 06:16:08 UTC 2011

So I'm been having dns issues for a while, differing issues that pop
up and I knock them down , but another just came to my attention which
has me stumped.

My external zone config has allow-recursion ( none; );

However I have some 3rd party sites that I CNAME too. Akamai for
example, yes CNAME to CNAME , i know I know :)..

Well my primary NS servers will only provide the CNAME record:

;		IN	A


This causes all types of failures if just using dig, or Linux built in
lookup mechanism, or heck Perl or PHP methods as well. None of the
stated methods, know that they should now query, so they provide the CNAME and SERVFAIL
or whatever.

Is there a way to allow any host to actually do a recursive lookup if
the request starts out on my domain,  in order to receive the A
record? Or do I just have to enable recursion on my external zone? The
problem there obviously, is now joe and frank can use my dns servers
because it performs a bit better than their ISP's. I don't want that,
but I do want to provide the extended information for that CNAME

Oh ya still on "bind-9.7.2-P3" , fedora based system

I'm missing something, but since it's gosh knows who that will be
querying for there really is no ACL I can use, it has
to be all. And based on some failures, I have to do the leg work for
each client, i have to provide them the necessary information in that
one request.

Thanks again

More information about the bind-users mailing list