Re: forwarding zone setup from a BIND slave (without recursion?)
Chuck, Tony, Thank you all for sharing the ideas.. very much appreciated. Thank you Kind Regards, Ravi Kota On Wed, Apr 7, 2021 at 7:25 PM wrote: > Send bind-users mailing list submissions to > bind-users@lists.isc.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.isc.org/mailman/listinfo/bind-users > or, via email, send a message with subject or body 'help' to > bind-users-requ...@lists.isc.org > > You can reach the person managing the list at > bind-users-ow...@lists.isc.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of bind-users digest..." > > > Today's Topics: > >1. Re: forwarding zone setup from a BIND slave (without > recursion?) (Chuck Aurora) >2. Re: forwarding zone setup from a BIND slave (without > recursion?) (Tony Finch) >3. Re: rndc stops listening (John Thurston) >4. Re: rndc stops listening (Ond?ej Sur?) >5. Re: forwarding zone setup from a BIND slave (without > recursion?) (Mark Andrews) > > > -- > > Message: 1 > Date: Wed, 07 Apr 2021 07:53:01 -0500 > From: Chuck Aurora > To: bind-users@lists.isc.org > Subject: Re: forwarding zone setup from a BIND slave (without > recursion?) > Message-ID: > Content-Type: text/plain; charset=US-ASCII; format=flowed > > On 2021-04-07 03:59, Marki wrote: > > To elaborate a little bit on that... Indeed that is how it works, > > unfortunately. When you start using forwarders or stubs, recursion > > needs to be enabled because you're no longer looking for your own > > authoritative data only. > > A stub or static-stub zone would not require recursion. In that case > named is asking for authoritative data from upstream. But type > forward zones indeed cannot work if recursion is disabled. > > > What I've learned from this list is that you should split > > authoritative and recursive service. > > I would suggest that as a general best practice, but not an absolute > one. There's nothing wrong with having internal-only authoritative > zones on your recursive resolver. The potential problem comes when > you're a globally-published NS for your zones; having recursion > enabled can make you vulnerable to more possible attacks. > > I'd say it depends more who/what you are. Small-timers are not at so > much risk for this than large sites and ISPs. But there too, the > paranoid would go for two instances of named, authoritative and > recursive, on a small hosted server even where it's only offering > recursion to itself. > > > May I ask what is the reasoning behind your current setup (pointing > > your users to the non-recursive service)? What would you like to > > achieve? What would you like to prevent? > > Agreed, that is strange. It does not seem that an authoritative-only > named can be very useful for end users. > > > -- > > Message: 2 > Date: Wed, 7 Apr 2021 15:37:33 +0100 > From: Tony Finch > To: Chuck Aurora > Cc: bind-users@lists.isc.org > Subject: Re: forwarding zone setup from a BIND slave (without > recursion?) > Message-ID: > Content-Type: text/plain; charset=US-ASCII > > Chuck Aurora wrote: > > > > A stub or static-stub zone would not require recursion. In that case > > named is asking for authoritative data from upstream. But type > > forward zones indeed cannot work if recursion is disabled. > > Be careful in this kind of situation to be very clear about which client > or server is doing what: in this case, it isn't clear what doesn't require > recursion for stub or static stub. > > All three types of zone configuration (stub, static stub, and forward) > are only useful on a server that is providing recursive service. > > Forward zones require the upstream server to be recursive too. > > Stub and static-stub expect the upstream server to be authoritative; > the stub server list is a hint that gets replaced by the authoritative > server list from the zone (a bit like the root hints) whereas static-stub > only uses the configured upstream servers. > > > > What I've learned from this list is that you should split > > > authoritative and recursive service. > > > > I would suggest that as a general best practice, but not an absolute > > one. There's nothing wrong with having internal-only authoritative > > zones on your recursive resolver. The potential problem comes when > > you're a globally-published NS for your zones; having recursion > > enabled can make you vulnerable to more possible attacks. > > Right: the rule is that authoritative servers listed as targets of NS > records should be authoritative-only; it's OK if recursive servers have > authoritative copies of zones: it can make them more resilient to outages, > though it does slightly weird things to DNSSEC validation. > > Tony. > -- > f.anthony.n.finchhttps://dotat.at/ > Whitby to Gibraltar Point: Northwest 4
Re: forwarding zone setup from a BIND slave (without recursion?)
Hello Marki, Matus, Thank you for the insights on this topic. Answering Marki's question about why the secondary-authoritative (slaves) are used for lookups is some-what history and there was no need to be recursive (until now) as all the queries are authoritatively answered or refused. May be security is another reason. Much appreciated your ideas Thank you Kind Regards RK On Wed, Apr 7, 2021 at 8:01 AM wrote: > Send bind-users mailing list submissions to > bind-users@lists.isc.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.isc.org/mailman/listinfo/bind-users > or, via email, send a message with subject or body 'help' to > bind-users-requ...@lists.isc.org > > You can reach the person managing the list at > bind-users-ow...@lists.isc.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of bind-users digest..." > > > Today's Topics: > >1. forwarding zone setup from a BIND slave (without recursion?) > (RK K) >2. Re: forwarding zone setup from a BIND slave (without > recursion?) (Matus UHLAR - fantomas) >3. Re: forwarding zone setup from a BIND slave (without > recursion?) (Marki) > > > ------ > > Message: 1 > Date: Tue, 6 Apr 2021 22:47:23 -0400 > From: RK K > To: bind-users@lists.isc.org > Subject: forwarding zone setup from a BIND slave (without recursion?) > Message-ID: > < > caotbjrubejlxc6-uff5kgkd_ignoytg_ku2pkdxbhpovyzs...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > All, > > We have a set of BIND primary servers (MASTERs) and a set of secondary > servers (slaves to the MASTERs). > The secondary BIND DNS servers disabled recursion ( with "*recursion no;" > *) > in the global options. > All the applications/systems do use secondary DNS servers for name > resolution. > > Now there is a need to configure a forwarding zone in the "secondary DNS > servers" to an external DNS server. > > In this scenario, in-order for the secondary server to forward the DNS > query to an external DNS server, is it required to enable the recursion in > the global options on the secondary servers? > Based on reference material, I did not see such a requirement. But my > observation is the query is not getting forwarded ( tried to check using > the packet trace) > When recursion is enabled, the query is getting forwarded. > > The BIND version I am using is 9.11.2.x. > > Appreciate your ideas and help. > > Thank you > Kind Regards, > Ravi Kota > -- next part -- > An HTML attachment was scrubbed... > URL: < > https://lists.isc.org/pipermail/bind-users/attachments/20210406/15bb6cad/attachment-0001.htm > > > > -- > > Message: 2 > Date: Wed, 7 Apr 2021 10:35:12 +0200 > From: Matus UHLAR - fantomas > To: bind-users@lists.isc.org > Subject: Re: forwarding zone setup from a BIND slave (without > recursion?) > Message-ID: <20210407083512.ga19...@fantomas.sk> > Content-Type: text/plain; charset=us-ascii; format=flowed > > On 06.04.21 22:47, RK K wrote: > >We have a set of BIND primary servers (MASTERs) and a set of secondary > >servers (slaves to the MASTERs). > >The secondary BIND DNS servers disabled recursion ( with "*recursion no;" > *) > >in the global options. > >All the applications/systems do use secondary DNS servers for name > >resolution. > > > >Now there is a need to configure a forwarding zone in the "secondary DNS > >servers" to an external DNS server. > > > >In this scenario, in-order for the secondary server to forward the DNS > >query to an external DNS server, is it required to enable the recursion in > >the global options on the secondary servers? > > yes. > > >Based on reference material, I did not see such a requirement. But my > >observation is the query is not getting forwarded ( tried to check using > >the packet trace) > >When recursion is enabled, the query is getting forwarded. > > > >The BIND version I am using is 9.11.2.x. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > It's now safe to throw off your computer. > > > -- > > Message: 3 > Date: Wed, 7 Apr 2021 10:59:30 +0200 > From: Marki > To: bind-users@lists.isc.org > Subj
forwarding zone setup from a BIND slave (without recursion?)
All, We have a set of BIND primary servers (MASTERs) and a set of secondary servers (slaves to the MASTERs). The secondary BIND DNS servers disabled recursion ( with "*recursion no;" *) in the global options. All the applications/systems do use secondary DNS servers for name resolution. Now there is a need to configure a forwarding zone in the "secondary DNS servers" to an external DNS server. In this scenario, in-order for the secondary server to forward the DNS query to an external DNS server, is it required to enable the recursion in the global options on the secondary servers? Based on reference material, I did not see such a requirement. But my observation is the query is not getting forwarded ( tried to check using the packet trace) When recursion is enabled, the query is getting forwarded. The BIND version I am using is 9.11.2.x. Appreciate your ideas and help. Thank you Kind Regards, Ravi Kota ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
