On Jun 1, 2009, at 11:28 PM, Barry Margolin wrote:
Allow-query allows the clients to query the zones that your server is
authoritative for.
Allow-recursion allows them to request recursion, which is needed to
look up names in remote zones.
Allow-query-cache allows them to query the data that's in the cache
due
to some client previously requesting recursion.
That's not quite right.
allow-query governs who can send *any* query to the server, not just
queries against authoritative data. If a query is blocked by this ACL,
the response sent back is empty (no records), with the RCODE set to
REFUSED.
allow-recursion and allow-query-cache now default to behave like each
other. In other words, if one is set but not the other, the behavior
is as if both were set to the same ACL. Therefore, there's almost
never any reason to set allow-query-cache - just use allow-recursion
for both, unless you truly have a use for allowing someone access to
the cache who does not also have permission to send recursive queries
to the server.
allow-query-cache was added in BIND 9.4. Previously, the only control
on cached data was allow-query.
If a query is blocked by allow-query-cache, the response is REFUSED,
as with allow-query. If it passes allow-query-cache but is blocked by
allow-recursion (an unusual situation these days), the query is
handled as if it were not recursive.
The defaults if no values are set at all:
allow-query { any; };
allow-query-cache { localhost; localnets; };
allow-recursion { localhost; localnets; };
My guess is that the OP was being tripped up by the default for allow-
recursion.
Chris Buxton
Professional Services
Men & Mice
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
