norecursion on external zone, but how do I allow CNAMEs to be fully resolved?

Kevin Darcy kcd at
Fri May 20 14:50:58 UTC 2011

This is why people run separate views, separate instances, or separate 
devices for DNS resolution (= recursive, by necessity) versus DNS 
hosting (= non-recursive, best practice). If you run both hosting and 
resolution on the same nameserver instance but different views, you may 
need to be a little careful about how you resolve names in your own 
zones (don't recurse to the same view otherwise you may end up in an 
infinite loop situation!), and especially if you're publishing a NAT'ed 
address for your nameserver(s).

Within named.conf, you can limit recursive resolution by client address 
or by view. You can't limit it by zone, because, on deeper analysis, 
that actually doesn't make any sense anyway -- either you are 
authoritative for a given zone, in which case no recursion is necessary, 
or you're not authoritative, in which case recursive resolution is 
*always* necessary.

                         - Kevin

On 5/20/2011 2:16 AM, Tory M Blue wrote:
> So I'm been having dns issues for a while, differing issues that pop
> up and I knock them down , but another just came to my attention which
> has me stumped.
> My external zone config has allow-recursion ( none; );
> However I have some 3rd party sites that I CNAME too. Akamai for
> example, yes CNAME to CNAME , i know I know :)..
> Well my primary NS servers will only provide the CNAME record:
> ;		IN	A
>	300	IN	CNAME
> This causes all types of failures if just using dig, or Linux built in
> lookup mechanism, or heck Perl or PHP methods as well. None of the
> stated methods, know that they should now query
>, so they provide the CNAME and SERVFAIL
> or whatever.
> Is there a way to allow any host to actually do a recursive lookup if
> the request starts out on my domain,  in order to receive the A
> record? Or do I just have to enable recursion on my external zone? The
> problem there obviously, is now joe and frank can use my dns servers
> because it performs a bit better than their ISP's. I don't want that,
> but I do want to provide the extended information for that CNAME
> record.
> Oh ya still on "bind-9.7.2-P3" , fedora based system
> I'm missing something, but since it's gosh knows who that will be
> querying for there really is no ACL I can use, it has
> to be all. And based on some failures, I have to do the leg work for
> each client, i have to provide them the necessary information in that
> one request.
> Thanks again
> Tory
> _______________________________________________
> bind-users mailing list
> bind-users at

More information about the bind-users mailing list