On 30.09.09 15:59, Sven Eschenberg wrote: > When I had no allow-query statement at all in my config, everything > worked find (includign recursion) for all clients, that were in subnets > directly attached to the server. The external view (authoriative, non > recursive) did work for every client as supposed to. > Now a client on a not directly attached subnet, with it's own view, > could not resolve anything, except local zones on the server. (Though > recursion was turned on for the view). > External view's clients could nto recurse, though recursion was turned > on, obviously to realyl recurse I'd need an allow-query statement. > > Adding an allow-query statement to the general config, limitied to the > campus network made all local views work, but with the result, that no > client matching the external view could looks up the authoriative zones. > > Now, I am wondering if I did set uop everything right afterall, here's > what I did do: > > External view, no recursion, allow-query {any;} > Not directly attached client with internal view: match on client's ip, > allow recursion, allow query for the client's ip. > all other internal views, matched by locally attached netowrks, no > allow-query statement, allow recursion. > > This seems to work. > > I am wondering: Would it be harmfull to allow queries by any host > (globally) as long as external clients (in their view) are not allowed > any recursion? Would that be more feasible?
allow-query { any; }; is default. Do you have any other allows's ? the first error message indicated that you didn't allow query-cache or recursion for some clients. Apparently you cloned a view but forget to allow either one in the new view... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watson. -- Daffy Duck & Porky Pig _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users