On 3/10/2010 4:45 PM, ic.nssip wrote:
I've got the idea!
So even I have no statement "recursion yes", the server is still
recursive as time I dont specify "recursion no;"
It is going to make no difference if I'll add "recursion yes;" on
options.
No difference.
Is "localnets" a term I really need to use?
It's predefined. Read the ARM.
Currently I'm using an ACL defined for "acl custnets { x.x.x.x; };"
and "allow-query { custnets; };"
Should I change the name "custnets" to "localnets"?
If they're numerically the same thing, then it would just be a matter
of personal preference. If they're different, then it would depend on
one's implementation requirements whether it's ok to switch one for the
other. We don't have enough information about your implementation
requirements to give a definitive answer one way or the other.
Note that both "localnets" and "localhost" can change dynamically, if
network interfaces are brought up and/or taken down.
Is my customized name "custnets" going to affect recursion in any way
if I use it instead of "localnets"?
If running BIND 9.4.x or higher, "allow-query { custnets; }" will affect
one's allow-recursion default if "custnets" is (or _becomes_, as a
result of interfaces being brought up and/or taken down) in any way
numerically different from "{ localnets; localhost; }".
(Of course, a query that's REFUSED will never get a chance to recurse,
but one can override a *global* allow-query at the zone level, so it
still makes sense for allow-recursion to cross-inherit from allow-query)
If all of this is confusing, then I would recommend explicitly setting
all of them -- allow-query, allow-query-cache, allow-recursion. Then you
don't need to constantly guess at what is inheriting from where.
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
