I try to configure bind9 as an authority server for several domains.
Entries of some domains are CNAME of another domain.
/etc/bind/named.conf
options{
dnssec-validation no;
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
listen-on { any; };
listen-on-v6 { any; };
allow-update { none; };
allow-recursion { none; };
recursion no;
notify yes;
allow-transfer { none; };
forwarders {};
};
zone "primary.net"{
type master;
file "/etc/bind/primary.net";
};
zone "secondary.net"{
type master;
file "/etc/bind/secondary.net";
};
/etc/bind/primary.net
$TTL 604800
@ IN SOA ns1.primary.net. contact.primary.net. (
2022120800 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
@ IN NS ns1.primary.net.
@ IN A 172.100.100.1
ns1 IN A 127.100.100.53
host IN A 127.100.100.1
/etc/bind/secondary.net
$TTL 604800
@ IN SOA ns1.secondary.net. contact.secondary.net. (
2022120800 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
@ IN NS ns1.secondary.net.
@ IN A 172.200.200.1
ns1 IN A 127.200.200.53
myalias IN CNAME host.primary.net.
What I see :
$ host myalias.secondary.net localhost
myalias.secondary.net is an alias for host.primary.net.
What I see, when I set allow-recursion { any; }; and recursion on;
$ host myalias.secondary.net localhost
myalias.secondary.net is an alias for host.primary.net.
host.primary.net has address 127.100.100.1
This is the behavior I want! But I have now an open resolver :(
The question is: How can I allow recursion only for locales zones?
Since the allow-recursion directive only filter client addresses, I cant use it to filter domains…
Thanks for your help !
