Enable recursive query for only a particular zone

Kevin Darcy kevin.darcy at fcagroup.com
Tue May 7 22:46:50 UTC 2019 

The simple answer is that you can do this with allow-recursion. Note that
"recursion no" is a big (instance-wide or view-wide) "off" switch for
recursion, so if you already have that set, you'll have to un-set it in
order to apply your allow-recursion controls in a granular fashion. You may
also want to consider your allow-query-cache controls because, even if a
given client isn't allowed to recurse for a given query, the operation of
fetching something that is resident in the cache -- put there as a result
of the query of some other client (which *was* allowed to recurse) -- isn't
considered to require "recursion", per se, but you probably don't want
arbitrary clients sniffing around at what's in your cache. (If one has
separate views, or separate instances, for resolving versus hosting, then
this sort of thing isn't an issue, but it sounds like you're trying to keep
everything in a single view).

The longer answer: you can use allow-recursion (with the caveats listed
above), but it may not achieve the result you're trying to achieve,
depending on what exactly that is. Enabling part of your namespace for
recursion doesn't *automatically* make it a sort of "proxy" for any names
that are queried within that part of the namespace. The crucial question to
ask is: will the incoming queries be requesting recursion or not? Normally,
when an iterative resolver follows the delegation hierarchy down from the
root, it's sending *non-recursion-desired* (RD=0) queries. If they follow
that delegation hierarchy down to your "special" zone, then even though you
may have enabled recursion for it, you'll never *provide* recursion, if it
isn't asked for (RD=0 means the requester doesn't want recursion performed,
even if recursion is available from the responder). The only way this works
is if the requester *explicitly* configures that part of that namespace (or
potentially, higher up in the hierarchy) to use your nameserver
recursively, e.g. by defining a zone of type "forward". This is not
reasonable to expect the Internet-as-a-whole to configure; it really only
works if you have a select community of devices and enough administrative
control to be able to maintain their DNS forwarding configuration(s).

So, depending on your use case, the solution you've hit upon -- enabling
recursion selectively for part of a namespace -- may not solve the
challenge you're trying to solve. Perhaps if you could elaborate a little
more on your situation, a more appropriate solution can be found.


          - Kevin


On Tue, May 7, 2019 at 3:05 AM Burn Zero <burnzerog at gmail.com> wrote:

> Hi,
>
> Is there a possibility to have recursion enabled only for one zone ( sub
> domain of a authoritative zone ) ? Is there any other way other than using
> view?
>
> Thank you
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190507/cffdb1d6/attachment.html>

More information about the bind-users mailing list