3rd party CNAMEs and open recursion

Barry Margolin barmar at alum.mit.edu
Mon Mar 4 19:45:22 UTC 2013

In article <mailman.1592.1362422631.11945.bind-users at lists.isc.org>,
 Verne Britton <verne at wvnet.edu> wrote:

> I have been testing and testing and either just don't see what I'm doing 
> wrong, or have a learning block  :-)
> current thinking is that a open recursion DNS server is bad, so we want to 
> implement an allow-recursion clause; perhaps even make some views so our 
> local users still recurse while the general public cannot ...
> but I am running into a roadblock with our Google Apps cname:
>    gmail.wvstateu.edu is a cname to ghs.google.com
> and bind wants recursion turned on in order to translate it.

What's the problem?

If the query comes from a local user, recursion will be allowed, and the 
CNAME will be resolved.

If the query comes from a remote resolver, recursion shouldn't even be 
requested. You'll respond with the CNAME, and the remote resolver will 
then do its own lookup of that.

Barry Margolin
Arlington, MA

More information about the bind-users mailing list