> I have a CentOS3 server running BIND 9.4.2 acting as an authorities name
> server for a domain. It was also performing recursive lookups for other
> machines in the same subnet, but this is no longer desirable as I was
> informed that external machines can still use its name cache even if
> they're not on the allow-recursion ACL (they just can't initiate new
> name lookups) so long as recursive lookups are allowed for more machines
> than none, and as this machine is not exactly a resource beast I would
> rather disable recursive lookups.

I suspect you are misinformed. Allow-query-cache and
allow-recursion cross inherit from each other.

If you have a older version of named you can still achieve
the desired behaviour by setting allow-query at the
options/view level to the value of the allow-recursion acl
and then set allow-query acl to "any;" in all of the zones.

Allow-query-cache was introduced in BIND 9.4 to make this

So either you are not running the version you say you are
or you have also set allow-query-cache to allow non-recursors
to access the cache.


> Problem is, once all this is done I then remove from the
> resolv.conf file and now when the BIND daemon starts rather than being
> almost instant it can sit from 5-15 minutes before firing up.
> Should I be settings allow-recursion { none; }; and then leaving
> in the resolv.conf file? If so, why does BIND require this for a speedy
> start-up? As the machine never needs to resolve names within its own
> domain, I'd like it to bypass itself.
> Paul ****er

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org