On 01.10.09 19:10, Sven Eschenberg wrote:
> Funny enough, I did not have any allow-query at all, but adding
> allow-query {any;} did indeed change the behavior. But allow-query-cache
> obviously defaults to localhost, localnets and was triggering the
> behavior that confused me.
OK, again: did you have any other allows ?
Which means allow-recursion, allow-query-cache ....
> Inbetween I overhauled the config, setting all the options explicitly
> where needed, instead of building on default behavior and everything
> works as expected now. Lessen learned: Ignore defaults, always set
> things as YOU want them to be :-).
Could you post your config (and optional includes) somewhere?
I still thinkthe real problem lied elsewhere...
> Matus UHLAR - fantomas schrieb:
>> On 30.09.09 15:59, Sven Eschenberg wrote:
>>> When I had no allow-query statement at all in my config, everything
>>> worked find (includign recursion) for all clients, that were in
>>> subnets directly attached to the server. The external view
>>> (authoriative, non recursive) did work for every client as supposed
>>> to.
>>> Now a client on a not directly attached subnet, with it's own view,
>>> could not resolve anything, except local zones on the server. (Though
>>> recursion was turned on for the view).
>>> External view's clients could nto recurse, though recursion was
>>> turned on, obviously to realyl recurse I'd need an allow-query
>>> statement.
>>>
>>> Adding an allow-query statement to the general config, limitied to
>>> the campus network made all local views work, but with the result,
>>> that no client matching the external view could looks up the
>>> authoriative zones.
>>>
>>> Now, I am wondering if I did set uop everything right afterall,
>>> here's what I did do:
>>>
>>> External view, no recursion, allow-query {any;}
>>> Not directly attached client with internal view: match on client's
>>> ip, allow recursion, allow query for the client's ip.
>>> all other internal views, matched by locally attached netowrks, no
>>> allow-query statement, allow recursion.
>>>
>>> This seems to work.
>>>
>>> I am wondering: Would it be harmfull to allow queries by any host
>>> (globally) as long as external clients (in their view) are not
>>> allowed any recursion? Would that be more feasible?
>>
>> allow-query { any; }; is default. Do you have any other allows's ?
>>
>> the first error message indicated that you didn't allow query-cache or
>> recursion
>> for some clients. Apparently you cloned a view but forget to allow either
>> one in the new view...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
