forwarding zone setup from a BIND slave (without recursion?)

Marki bind-users at lists.roth.lu
Wed Apr 7 08:59:30 UTC 2021


Hello,

On 4/7/2021 10:35 AM, Matus UHLAR - fantomas wrote:
> On 06.04.21 22:47, RK K wrote:
>> In this scenario, in-order for the secondary server to forward the DNS
>> query to an external DNS server, is it required to enable the 
>> recursion in
>> the global options on the secondary servers?
>
> yes. 

To elaborate a little bit on that... Indeed that is how it works, 
unfortunately. When you start using forwarders or stubs, recursion needs 
to be enabled because you're no longer looking for your own 
authoritative data only.

What I've learned from this list is that you should split authoritative 
and recursive service.

In other words, you need two types of servers:

1) A non-recursive one in the backend containing your authoritative 
zones only. This can be a hidden master setup, somewhat like what you 
are using now.

2) The one your users access has recursion enabled, and contains stubs 
to the authoritative service. Obviously, it can also contain stubs (or 
forwarders) to anywhere else. At the same time it is performing full 
recursive service unless you take authority for the root zone.

May I ask what is the reasoning behind your current setup (pointing your 
users to the non-recursive service)? What would you like to achieve? 
What would you like to prevent?

Bye,

Marki

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210407/b96c3543/attachment.htm>


More information about the bind-users mailing list