etirado....@orange-ftgroup.com wrote: > Hello, > > Is this possible to disable recursion for all incoming queries except > for those listed in zone statement with a forwarder. > > I know that no forwarding is allowed if we disable recursion. > > Something like this ( but this doesn't work I know ): > > I can't match people so I can't create a view.
> options { > > allow-query { any; }; > allow-query-cache { none; }; > allow-recursion { none; }; > > }; > > zone "example.fr" { > > type forward; > forwarders { x.x.x.x; }; > forward only; > }; Then what you really have is an architectural issue you need to sort out. Recursion is needed on name servers so dumb resolvers (end systems... e.g., PCs and laptops) can use them, which also means it will ask questions of other authoritative name servers and cache intermediate data. Forward-type zones are essentially an extension of this, just for jump-starting recursive resolution at a different starting point that is not visible following the usual delegation path. You should only ever need to use a forward-type zone to get around a firewall. If you have recursion turned off, then you have caching turned off and thus can only be serving authoritative data (and no other data is retrieved elsewhere via queries, via forwarding or recursion). These two situations serve two very different functions. If you are trying to mix these two functions (resolving server, authoritative server), then you have to be able to either segment each into either a view (where queries come in on the same interface), or segment by using multiple interfaces for receiving/sending queries and run two instances of named for each function, or (most commonly) just run these functions on two completely different machines. If I were to guess, it looks like you are constructing an authoritative server, because of "allow-recursion { none; };". Why can't you do this to get the data for the example.fr zone? zone "example.fr" { type slave; masters { x.x.x.x; }; }; If you really are trying to get around a firewall, then this server is a resolving server anyway (serving end systems) and thus you would need recursion turned on... Regards, Mike -- Michael Milligan -> mi...@acmeps.com _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users