<div dir="ltr"><div>Hello Marki, Matus,</div><div><br></div><div>Thank you for the insights on this topic.</div><div><br></div><div>Answering Marki's question about why the secondary-authoritative (slaves) are used for lookups is some-what history and there was no need to be recursive (until now) as all the queries are authoritatively answered or refused. May be security is another reason.</div><div><br></div><div>Much appreciated your ideas</div><div><br></div><div>Thank you </div><div>Kind Regards</div><div>RK</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 7, 2021 at 8:01 AM <<a href="mailto:bind-users-request@lists.isc.org">bind-users-request@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send bind-users mailing list submissions to<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:bind-users-request@lists.isc.org" target="_blank">bind-users-request@lists.isc.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:bind-users-owner@lists.isc.org" target="_blank">bind-users-owner@lists.isc.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of bind-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. forwarding zone setup from a BIND slave (without recursion?)<br>
(RK K)<br>
2. Re: forwarding zone setup from a BIND slave (without<br>
recursion?) (Matus UHLAR - fantomas)<br>
3. Re: forwarding zone setup from a BIND slave (without<br>
recursion?) (Marki)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Tue, 6 Apr 2021 22:47:23 -0400<br>
From: RK K <<a href="mailto:rvkota@gmail.com" target="_blank">rvkota@gmail.com</a>><br>
To: <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
Subject: forwarding zone setup from a BIND slave (without recursion?)<br>
Message-ID:<br>
<<a href="mailto:CAOtBJRuBejLxC6-UFf5kGkD_iGnOyTg_ku2PkdXbhPoVYzSuUA@mail.gmail.com" target="_blank">CAOtBJRuBejLxC6-UFf5kGkD_iGnOyTg_ku2PkdXbhPoVYzSuUA@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
All,<br>
<br>
We have a set of BIND primary servers (MASTERs) and a set of secondary<br>
servers (slaves to the MASTERs).<br>
The secondary BIND DNS servers disabled recursion ( with "*recursion no;" *)<br>
in the global options.<br>
All the applications/systems do use secondary DNS servers for name<br>
resolution.<br>
<br>
Now there is a need to configure a forwarding zone in the "secondary DNS<br>
servers" to an external DNS server.<br>
<br>
In this scenario, in-order for the secondary server to forward the DNS<br>
query to an external DNS server, is it required to enable the recursion in<br>
the global options on the secondary servers?<br>
Based on reference material, I did not see such a requirement. But my<br>
observation is the query is not getting forwarded ( tried to check using<br>
the packet trace)<br>
When recursion is enabled, the query is getting forwarded.<br>
<br>
The BIND version I am using is 9.11.2.x.<br>
<br>
Appreciate your ideas and help.<br>
<br>
Thank you<br>
Kind Regards,<br>
Ravi Kota<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="https://lists.isc.org/pipermail/bind-users/attachments/20210406/15bb6cad/attachment-0001.htm" rel="noreferrer" target="_blank">https://lists.isc.org/pipermail/bind-users/attachments/20210406/15bb6cad/attachment-0001.htm</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Wed, 7 Apr 2021 10:35:12 +0200<br>
From: Matus UHLAR - fantomas <<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
To: <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
Subject: Re: forwarding zone setup from a BIND slave (without<br>
recursion?)<br>
Message-ID: <<a href="mailto:20210407083512.GA19977@fantomas.sk" target="_blank">20210407083512.GA19977@fantomas.sk</a>><br>
Content-Type: text/plain; charset=us-ascii; format=flowed<br>
<br>
On 06.04.21 22:47, RK K wrote:<br>
>We have a set of BIND primary servers (MASTERs) and a set of secondary<br>
>servers (slaves to the MASTERs).<br>
>The secondary BIND DNS servers disabled recursion ( with "*recursion no;" *)<br>
>in the global options.<br>
>All the applications/systems do use secondary DNS servers for name<br>
>resolution.<br>
><br>
>Now there is a need to configure a forwarding zone in the "secondary DNS<br>
>servers" to an external DNS server.<br>
><br>
>In this scenario, in-order for the secondary server to forward the DNS<br>
>query to an external DNS server, is it required to enable the recursion in<br>
>the global options on the secondary servers?<br>
<br>
yes.<br>
<br>
>Based on reference material, I did not see such a requirement. But my<br>
>observation is the query is not getting forwarded ( tried to check using<br>
>the packet trace)<br>
>When recursion is enabled, the query is getting forwarded.<br>
><br>
>The BIND version I am using is 9.11.2.x.<br>
<br>
-- <br>
Matus UHLAR - fantomas, <a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> ; <a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a><br>
Warning: I wish NOT to receive e-mail advertising to this address.<br>
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.<br>
It's now safe to throw off your computer.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Wed, 7 Apr 2021 10:59:30 +0200<br>
From: Marki <<a href="mailto:bind-users@lists.roth.lu" target="_blank">bind-users@lists.roth.lu</a>><br>
To: <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
Subject: Re: forwarding zone setup from a BIND slave (without<br>
recursion?)<br>
Message-ID: <<a href="mailto:e1ab189a-1c38-8a52-5b12-b3af9e0a1a30@lists.roth.lu" target="_blank">e1ab189a-1c38-8a52-5b12-b3af9e0a1a30@lists.roth.lu</a>><br>
Content-Type: text/plain; charset="utf-8"; Format="flowed"<br>
<br>
Hello,<br>
<br>
On 4/7/2021 10:35 AM, Matus UHLAR - fantomas wrote:<br>
> On 06.04.21 22:47, RK K wrote:<br>
>> In this scenario, in-order for the secondary server to forward the DNS<br>
>> query to an external DNS server, is it required to enable the <br>
>> recursion in<br>
>> the global options on the secondary servers?<br>
><br>
> yes. <br>
<br>
To elaborate a little bit on that... Indeed that is how it works, <br>
unfortunately. When you start using forwarders or stubs, recursion needs <br>
to be enabled because you're no longer looking for your own <br>
authoritative data only.<br>
<br>
What I've learned from this list is that you should split authoritative <br>
and recursive service.<br>
<br>
In other words, you need two types of servers:<br>
<br>
1) A non-recursive one in the backend containing your authoritative <br>
zones only. This can be a hidden master setup, somewhat like what you <br>
are using now.<br>
<br>
2) The one your users access has recursion enabled, and contains stubs <br>
to the authoritative service. Obviously, it can also contain stubs (or <br>
forwarders) to anywhere else. At the same time it is performing full <br>
recursive service unless you take authority for the root zone.<br>
<br>
May I ask what is the reasoning behind your current setup (pointing your <br>
users to the non-recursive service)? What would you like to achieve? <br>
What would you like to prevent?<br>
<br>
Bye,<br>
<br>
Marki<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="https://lists.isc.org/pipermail/bind-users/attachments/20210407/b96c3543/attachment-0001.htm" rel="noreferrer" target="_blank">https://lists.isc.org/pipermail/bind-users/attachments/20210407/b96c3543/attachment-0001.htm</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of bind-users Digest, Vol 3678, Issue 1<br>
*******************************************<br>
</blockquote></div><br clear="all"><div><br></div><br></div>