3rd party CNAMEs and open recursion

Verne Britton verne at wvnet.edu
Mon Mar 4 18:43:41 UTC 2013

I have been testing and testing and either just don't see what I'm doing wrong, or have a learning block  :-)

current thinking is that a open recursion DNS server is bad, so we want to implement an allow-recursion clause; perhaps even make some views so our local users still recurse while the general public cannot ...

but I am running into a roadblock with our Google Apps cname:

   gmail.wvstateu.edu is a cname to ghs.google.com

and bind wants recursion turned on in order to translate it.

(actually we have a number of 3rd party CNAMEs; Google Apps have the most widespread usage)

I thought additional-from-auth would fix it up in a view, but either I do not understand additional-from-auth, or it does not work.

I also played around with a 2nd local server, testing with a forwarding zone as well as a stub zone ... no luck

my most recent testing is with bind 9.8.2 on Oracle Linux 6.3 64bit ... installed via yum from the Oracle Linux repositories (Oracle Linux is very very close if not a duplication, of the Red Hat distribution)

I am starting to read up on RPZ but don't know if that will help any ...

thoughts anyone?

Verne Britton, Lead Systems Programmer   voice:   (304) 293-5192 x230
Systems Support Group                    (in WV, call 1-800-253-1558)
West Virginia Network for                FAX:     (304) 293-5540
     Educational Telecomputing           verne at wvnet.edu
837 Chestnut Ridge Road                  http://myweb.wvnet.edu/~verne
Morgantown, WV  26505                    http://www.wvnet.edu

More information about the bind-users mailing list