forwarding zone setup from a BIND slave (without recursion?)
Chuck Aurora
ca at nodns4.us
Wed Apr 7 12:53:01 UTC 2021
On 2021-04-07 03:59, Marki wrote:
> To elaborate a little bit on that... Indeed that is how it works,
> unfortunately. When you start using forwarders or stubs, recursion
> needs to be enabled because you're no longer looking for your own
> authoritative data only.
A stub or static-stub zone would not require recursion. In that case
named is asking for authoritative data from upstream. But type
forward zones indeed cannot work if recursion is disabled.
> What I've learned from this list is that you should split
> authoritative and recursive service.
I would suggest that as a general best practice, but not an absolute
one. There's nothing wrong with having internal-only authoritative
zones on your recursive resolver. The potential problem comes when
you're a globally-published NS for your zones; having recursion
enabled can make you vulnerable to more possible attacks.
I'd say it depends more who/what you are. Small-timers are not at so
much risk for this than large sites and ISPs. But there too, the
paranoid would go for two instances of named, authoritative and
recursive, on a small hosted server even where it's only offering
recursion to itself.
> May I ask what is the reasoning behind your current setup (pointing
> your users to the non-recursive service)? What would you like to
> achieve? What would you like to prevent?
Agreed, that is strange. It does not seem that an authoritative-only
named can be very useful for end users.
More information about the bind-users
mailing list