[dns-operations] sophosxl.net problem?

Tony Finch dot at dotat.at
Tue Nov 12 12:29:45 UTC 2019

James Stevens <js at jrcs.net> wrote:
> Would it be reasonable for an authoritative-only DNS Server to reject / ignore
> / throttle requests with RD=1 ?

I think for quite a long time my toy DNS server (which runs with an
appalling hodge-podge of patches) was running with a config something

view rec {
	match-recursive-only yes;
	# stuff
view auth {
	recursion no;
	allow-recursion { none; };
	zone dotat.at { /* ... */ );
	# etc.

The effect was that recursive queries went to the rec view then got
rejected by an ACL; RD=0 queries went to the auth view which served my
zone to all comers. The only problem I noticed was RD=1 health checks from
one of my secondaries. My config now has a match-clients clause in the rec
view which works better all round.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
promote human rights and open government

More information about the dns-operations mailing list