questions on allow-query

Mark Elkins mje at
Tue Feb 20 07:57:54 UTC 2018

Reading between the lines - it sounds like you may be mixing nameserver
roles, recursion with authoritative.

This is not a good idea and is why other Nameserver software (NSD,
UNBOUND and others) either perform one role or the other. I understand
that BIND-10 was also designed like this - separate software modules for
the two separate roles.

Then your "access list" is simple.

Recursive: Starts with knowing next to nothing, can be asked for
anything and serves a restrictive population
acl "trusted" {
allow-query { trusted; };
allow-recursion { trusted; };

Authoritative: Starts with knowing everything about just a few Domains,
can only be asked about what it knows and serves the World.
allow-query { any; };
allow-recursion { none; };

You'll otherwise find that things like DNSSEC don't work as expected.

On 20/02/2018 00:51, @lbutlr wrote:
> If I set 
> allow-query {; [myipblock]; }
> Then my DNS doesn't respond to any other servers, right? This would be bad for being authoritative. so, should I set that and then set allow-query { any; }; in each zone?
> Is that better than simply setting the IPs that are allowed recursion?
> _______________________________________________
> Please visit to unsubscribe from this list
> bind-users mailing list
> bind-users at

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA:

More information about the bind-users mailing list