views, recursion, and allow-recursion

views, recursion, and allow-recursion

Post by R Dicair » Tue, 24 Jun 2008 06:49:33


Hi folks...in my options statement I have

allow-recursion { 192.168.1.0/24; ! 0.0.0.0;};

acl "internal" {192.168.1.0/24;};

view "internal" {
match-clients { internal; };
recursion yes;
allow-transfer { internal; ! 0.0.0.0; };
internal zone defs;
};

View "external" {
match-clients { any; };
recursion no;
external zone defs;
};

When I start named, syslog shows:

named[32493]: both "recursion no;" and "allow-recursion" active for
view external

Lookups based on the views acls show me the views configuration seems
to be working. Local clients can lookup addresses fine, nothing
appears to be amiss. What exactly does this syslog message mean?

Thanks
--
aRDy Music and Rick Dicaire present:
http://www.yqcomputer.com/
http://www.yqcomputer.com/ :9000/ardymusic.ogg.m3u
 
 
 

views, recursion, and allow-recursion

Post by Alan Cleg » Tue, 24 Jun 2008 07:05:20


It means that you are mixing access control methods for recursion.

Since your internal ACL matches what you were using in
"allow-recursion", just change the "allow-recursion" in global options
to "recursion no;" and allow the view based "recursion yes;" (internal)
and "recursion no;" (external) to override it.

Note that !0.0.0.0 ("none") is added to every ACL expansion, so you
don't need it in the example above.

Just for good measure, you may want to change the external match-clients to:

match-clients { !internal; any; };

AlanC

 
 
 

views, recursion, and allow-recursion

Post by R Dicair » Tue, 24 Jun 2008 08:37:01


Having made the above modifications, external client queries for data
my NS isn't authoritative for no longer show cache query denied in
syslog, but instead return a list of the tld root servers.
Is this the appropriate response/behaviour?

--
aRDy Music and Rick Dicaire present:
http://www.yqcomputer.com/
http://www.yqcomputer.com/ :9000/ardymusic.ogg.m3u
 
 
 

views, recursion, and allow-recursion

Post by Alan Cleg » Tue, 24 Jun 2008 11:25:21


You are providing a referral to the roots for labels that you are not
authoritative for.

This is normal, but shows that those clients are asking you for
recursion (which you are not willing to do). You need to find those
clients and reconfigure them to use the correct recursive servers.

AlanC
 
 
 

views, recursion, and allow-recursion

Post by R Dicair » Tue, 24 Jun 2008 11:45:23


Ok, thanks. And the clients querying my nameserver for . NS are not
mine, they come from
208.78.169.* and 204.11.51.*

Examples from syslog before I changed my configuration:

Jun 22 04:42:07 rdb named[4431]: client 208.78.169.236#32804: query
(cache) './NS/IN' denied
Jun 22 04:46:17 rdb named[4431]: client 204.11.51.62#32938: query
(cache) './NS/IN' denied

--
aRDy Music and Rick Dicaire present:
http://www.yqcomputer.com/
http://www.yqcomputer.com/ :9000/ardymusic.ogg.m3u