Reading between the lines - it sounds like you may be mixing nameserver roles, recursion with authoritative.
This is not a good idea and is why other Nameserver software (NSD, UNBOUND and others) either perform one role or the other. I understand that BIND-10 was also designed like this - separate software modules for the two separate roles. Then your "access list" is simple. Recursive: Starts with knowing next to nothing, can be asked for anything and serves a restrictive population acl "trusted" { 127.0.0.0/8; ::1/128; 192.X.X.0/24; 2001:hhhh:hhhh:hhhh::/48; }; allow-query { trusted; }; allow-recursion { trusted; }; Authoritative: Starts with knowing everything about just a few Domains, can only be asked about what it knows and serves the World. allow-query { any; }; allow-recursion { none; }; You'll otherwise find that things like DNSSEC don't work as expected. On 20/02/2018 00:51, @lbutlr wrote: > If I set > > allow-query { 127.0.0.1; [myipblock]; } > > Then my DNS doesn't respond to any other servers, right? This would be bad > for being authoritative. so, should I set that and then set allow-query { > any; }; in each zone? > > Is that better than simply setting the IPs that are allowed recursion? > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark James ELKINS - Posix Systems - (South) Africa m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users