On Wed, Nov 19, 2025 at 04:26:17PM -0500, pgnd wrote:
> following up on earlier comment, i poked at acls + recursion/query allows
>
> modifying config
>
> edit `named.conf`
> ```
> view "internal" {
> match-clients {
> !key ...;
> key ...;
> acl_local_lan;
> localhost;
> };
>
> recursion yes;
>
> allow-query { acl_local_lan; localhost; };
> allow-query-cache { acl_local_lan; localhost; };
> - allow-recursion { any; };
> + allow-recursion { acl_local_lan; localhost; };
> + allow-recursion-on { any; };
> + allow-query-cache-on { any; };
> ```
>
> does the trick. now,
To be clear, you're saying this version did NOT work?
| allow-query { acl_local_lan; localhost; };
| allow-query-cache { acl_local_lan; localhost; };
| allow-recursion { any; };
Because, I'm fairly sure I know what's going on here - it's an accidental
side effect of recent changes to the configuration parser, and I hope to
have it fixed in the next release - but I'm not sure why *that*
configuration wouldn't have worked. When I test it myself, all that seems
to be necessary is to set allow-recursion and allow-query-cache in the
view.
If you could show us one more thing, I'd like to see how the ACLs were
set in the "options {}" block in named.conf, and then compare that to
the options block from "rndc showconf -effective".
--
Evan Hunt -- [email protected]
Internet Systems Consortium, Inc.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
