OK, so I'm not running *real* BIND, but Redhat's "special" version
On my authoritative servers, I have allow-query set to 'any' (has to be
that, of course) and allow-recursion set to an acl that allows just our
inside networks.

I *thought* that would allow folks to look up zones for which we were
authoritative and give the e-finger to anyone off-campus asking for
anything else.

Apparently that's not quite the case.

When I dig for, say, google.com from off-campus against my nameservers, I
get one of two kinds of answers: From my master, I get A, NS, and glue for
google.com. From my slaves, I get NS and glue only.

I thought, that by setting allow-recursion to my own little part of the
world, that any request for zones which I'm not authoritative would just
get (pick your analogy) a blank stare or the e-finger?

So, am I 1) confused about allow-recursion, 2) not correctly configured
(see also #1) or 3) looking at a bug in RH's diddling of BIND?


Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
Feedback? Contact my director, Craig Cochell, craigc@ou.edu. Thank you!