Re: questions on allow-query

2018-02-21 Thread Barry Margolin
In article , "Darcy Kevin (FCA)" wrote: > Other than the master server(s), where there is no choice but to be > authoritative, at one end of the spectrum, and border resolvers, for which > there is no choice but to

Re: questions on allow-query

2018-02-21 Thread Bob Harold
On Wed, Feb 21, 2018 at 8:18 AM, Tony Finch wrote: > Evan Hunt wrote: > > > > One thing to keep in mind, though, is that the two services will share > each > > other's fates. If I were deploying a really big high-traffic server, I > > might consider whether I

Re: questions on allow-query

2018-02-21 Thread Tony Finch
Evan Hunt wrote: > > One thing to keep in mind, though, is that the two services will share each > other's fates. If I were deploying a really big high-traffic server, I > might consider whether I wanted my recursive service to have to wait for > all the zones to load before it

Re: questions on allow-query

2018-02-20 Thread Evan Hunt
On Tue, Feb 20, 2018 at 11:41:37PM +, Darcy Kevin (FCA) wrote: > Call me a contrarian, but I've never really signed onto the conventional > wisdom that recursive and authoritative roles should never be mixed, even > as I've transitioned into the InfoSec realm, where, generally speaking, > we

RE: questions on allow-query

2018-02-20 Thread Darcy Kevin (FCA)
Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark Elkins Sent: Tuesday, February 20, 2018 2:58 AM To: bind-users@lists.isc.org Subject: Re: questions on allow-query Reading between the lines - it sounds like you may be mixing nameserver roles,

Re: questions on allow-query

2018-02-19 Thread Mark Elkins
Reading between the lines - it sounds like you may be mixing nameserver roles, recursion with authoritative. This is not a good idea and is why other Nameserver software (NSD, UNBOUND and others) either perform one role or the other. I understand that BIND-10 was also designed like this -

Re: questions on allow-query

2018-02-19 Thread Evan Hunt
On Mon, Feb 19, 2018 at 03:51:42PM -0700, @lbutlr wrote: > If I set > > allow-query { 127.0.0.1; [myipblock]; } > > Then my DNS doesn't respond to any other servers, right? This would be > bad for being authoritative. so, should I set that and then set > allow-query { any; }; in each zone? > >