Enable recursive query for only a particular zone

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Enable recursive query for only a particular zone

Burn Zero
Hi,

Is there a possibility to have recursion enabled only for one zone ( sub domain of a authoritative zone ) ? Is there any other way other than using view?

Thank you

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Enable recursive query for only a particular zone

Kevin Darcy
The simple answer is that you can do this with allow-recursion. Note that "recursion no" is a big (instance-wide or view-wide) "off" switch for recursion, so if you already have that set, you'll have to un-set it in order to apply your allow-recursion controls in a granular fashion. You may also want to consider your allow-query-cache controls because, even if a given client isn't allowed to recurse for a given query, the operation of fetching something that is resident in the cache -- put there as a result of the query of some other client (which *was* allowed to recurse) -- isn't considered to require "recursion", per se, but you probably don't want arbitrary clients sniffing around at what's in your cache. (If one has separate views, or separate instances, for resolving versus hosting, then this sort of thing isn't an issue, but it sounds like you're trying to keep everything in a single view).

The longer answer: you can use allow-recursion (with the caveats listed above), but it may not achieve the result you're trying to achieve, depending on what exactly that is. Enabling part of your namespace for recursion doesn't *automatically* make it a sort of "proxy" for any names that are queried within that part of the namespace. The crucial question to ask is: will the incoming queries be requesting recursion or not? Normally, when an iterative resolver follows the delegation hierarchy down from the root, it's sending *non-recursion-desired* (RD=0) queries. If they follow that delegation hierarchy down to your "special" zone, then even though you may have enabled recursion for it, you'll never *provide* recursion, if it isn't asked for (RD=0 means the requester doesn't want recursion performed, even if recursion is available from the responder). The only way this works is if the requester *explicitly* configures that part of that namespace (or potentially, higher up in the hierarchy) to use your nameserver recursively, e.g. by defining a zone of type "forward". This is not reasonable to expect the Internet-as-a-whole to configure; it really only works if you have a select community of devices and enough administrative control to be able to maintain their DNS forwarding configuration(s).

So, depending on your use case, the solution you've hit upon -- enabling recursion selectively for part of a namespace -- may not solve the challenge you're trying to solve. Perhaps if you could elaborate a little more on your situation, a more appropriate solution can be found.

                                                                                      - Kevin


On Tue, May 7, 2019 at 3:05 AM Burn Zero <[hidden email]> wrote:
Hi,

Is there a possibility to have recursion enabled only for one zone ( sub domain of a authoritative zone ) ? Is there any other way other than using view?

Thank you
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users