norecursion on external zone, but how do I allow CNAMEs to be fully resolved?
kcd at chrysler.com
Fri May 20 14:50:58 UTC 2011
This is why people run separate views, separate instances, or separate
devices for DNS resolution (= recursive, by necessity) versus DNS
hosting (= non-recursive, best practice). If you run both hosting and
resolution on the same nameserver instance but different views, you may
need to be a little careful about how you resolve names in your own
zones (don't recurse to the same view otherwise you may end up in an
infinite loop situation!), and especially if you're publishing a NAT'ed
address for your nameserver(s).
Within named.conf, you can limit recursive resolution by client address
or by view. You can't limit it by zone, because, on deeper analysis,
that actually doesn't make any sense anyway -- either you are
authoritative for a given zone, in which case no recursion is necessary,
or you're not authoritative, in which case recursive resolution is
On 5/20/2011 2:16 AM, Tory M Blue wrote:
> So I'm been having dns issues for a while, differing issues that pop
> up and I knock them down , but another just came to my attention which
> has me stumped.
> My external zone config has allow-recursion ( none; );
> However I have some 3rd party sites that I CNAME too. Akamai for
> example, yes CNAME to CNAME , i know I know :)..
> Well my primary NS servers will only provide the CNAME record:
> ;; QUESTION SECTION:
> ;cdn.domain.net. IN A
> ;; ANSWER SECTION:
> cdn.domain.net. 300 IN CNAME cdn.domain.net.edgesuite.net.
> This causes all types of failures if just using dig, or Linux built in
> lookup mechanism, or heck Perl or PHP methods as well. None of the
> stated methods, know that they should now query
> cdn.domain.net.edgesuite.net, so they provide the CNAME and SERVFAIL
> or whatever.
> Is there a way to allow any host to actually do a recursive lookup if
> the request starts out on my domain, in order to receive the A
> record? Or do I just have to enable recursion on my external zone? The
> problem there obviously, is now joe and frank can use my dns servers
> because it performs a bit better than their ISP's. I don't want that,
> but I do want to provide the extended information for that CNAME
> Oh ya still on "bind-9.7.2-P3" , fedora based system
> I'm missing something, but since it's gosh knows who that will be
> querying for cdn.domain.net there really is no ACL I can use, it has
> to be all. And based on some failures, I have to do the leg work for
> each client, i have to provide them the necessary information in that
> one request.
> Thanks again
> bind-users mailing list
> bind-users at lists.isc.org
More information about the bind-users