Les Mikesell wrote:
>On Sat, 2006-03-25 at 14:57, John Hinton wrote:
>
>
>>Seems that bind by default allows recursion and it's not a good idea.
>>
>>
>
>It's a good idea if you expect it to resolve addresses for you. It
>may not be a good idea for the registered public servers where
>you expect outside queries for your domains only.
>
>
>
>>I'm struggling a bit on a couple of systems. These two systems run
>>sendmail and are nameservers. I have sendmail set to do domain lookups
>>and bounce if the domain does not exist.
>>
>>My struggle has been to turn recursion off in bind while allowing
>>sendmail to do these lookups. I've been trying to do this by setting up
>>allow-recursion in the options section of named.conf. Using something like
>>
>>allow-recursion {192.1.1.0/24; 192.34.2.6; };
>>
>>The IPs have been changed to protect the innocent......
>>
>>Bind is happy with the entry.. sendmail is not and starts bouncing email.
>>
>>Does anybody have this working and have any hints? I've googled and
>>tested for hours....
>>
>>
>
>If you insist on having recursion off on the public servers
>configured as primary and secondaries for your domains (and
>it doesn't make sense elsewhere), the easy fix is to run other
>DNS servers configured normally to do your own lookups and use
>the /etc/resolv.conf entries on your sendmail servers to use
>them - as you'll need to do for everything else that wants a
>DNS server. Your own lookups are controlled entirely by the
>resolv.conf entries and can be on other machines whether or not
>you run an instance of named on the local machine.
>
>
>
At the suggestion of some notes on DNSReport.com, I tried turning
recursion off and when I did, it broke sendmail. All of my upstream
DNS' have recursion turned on, and from what I gather about the mess
there is a chance of dns poisoning with recursion on.
Sam
