norecursion on external zone, but how do I allow CNAMEs to be fully resolved?

Phil Mayers p.mayers at
Fri May 20 08:27:44 UTC 2011

On 05/20/2011 07:16 AM, Tory M Blue wrote:

> This causes all types of failures if just using dig, or Linux built in
> lookup mechanism, or heck Perl or PHP methods as well. None of the
> stated methods, know that they should now query
>, so they provide the CNAME and SERVFAIL
> or whatever.

That's because stub resolvers are not recursive resolvers.

No-one should be querying your authoritative servers unless they are 
themselves a full recursive resolver, and those will handle this 
situation just fine.

Serving A records for other zones isn't valid anyway - for security 
reasons they'll be ignored (after all, you could be trying to poison the 
far end cache, and are not authoritative for the zones containing the 
CNAME target)

Can you give more info about how this is causing actual problems, versus 
problems with dig/perl/whatever?

More information about the bind-users mailing list