On Wed, 20 Mar 2013, Chris Gebhardt - VIRTBIZ Internet wrote: > I wonder if it would be best to re-title the option as "Permit > non-authoritative response" or "Allow Recursion". Possibly add a note > to the effect of "NOT RECOMMENDED. Do not enable unless you know what > you're doing."
I agree that the labeling could be better, and possibly locating it next to the box where IPs allowed to recurse go. I'd also recommend pre-populating the box with "localhost; localnets" just to be sure there's not a default of "any" and that the cache setting checkbox at least doesn't let the server become wide open. Cache and recursion are related, in that you (apparently) need recursion to query the cache, so no cache means also mean no recursion (and in BX, it actually sets/unsets the "allow-recursion" string in the real config file). Also, I think that in later BIND versions, there was a separation of certain CACHE and RECURSION settings and the way they inter-related. I remember digging into this issue a while back, and I seem to recall that change plus a number of other changes that happened around the transition from RH 4.x to 5.x, and BIND 9.4 to 9.5. I do remember getting even more confused by some of the unclear language in various BIND documents and third-party articles. I'd still don't feel I've got a good grasp on what some combinations really do. At the time, I worked on a suggestion posting for the GUI section layout, but I may have never actually posted it. > Also, I don't recall if the checkbox is on or off by default. My call > is it should be off by default. Not sure myself. > This isn't because what is in the BlueOnyx GUI is wrong, but I think > there are plenty of BlueOnyx users that may not fully understand I'd bet on that. I'm one. :) > I'm having a hard time thinking of good scenarios that would make it a > good idea to have caching turned on. If machines on your local network look at your own servers, at least something needs to allow recursion. If everything looks to the upstream ISP, then no. The advantage, I presume, would be to keep most DNS activity 'internal' to the local network(s) rather than sending everything upstream. It was likely more important back when outside bandwidth was much more limited and expensive. > Usually, the ISP provides recursive nameservers. We provide recursion > to all of our customers on dedicated DNS hosts that are locked down to > only provide replies to subnets that we supply. I believe that is the > norm. It's what we do, too. > Therefore, I can't think of many reasons that one would need a > BlueOnyx box to also serve recursive queries. But of course I may be > myopic and there could be something I just haven't thought of. Not serve the queries to outside world for sure! =^_^= Tigerwolf _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx