Subject: Re: change named.conf to turn off recursion by default?
To: None <>
From: Alan Barrett <>
List: tech-net
Date: 03/07/2006 09:43:00
On Sun, 05 Mar 2006, Steven M. Bellovin wrote:
> should we ship a named.conf that disables recursion?

The default named.conf should not provide any service at all to
outsiders.  It should provide recursion to localhost.  In other words,
I'd like the default to be equivalent to

	listen-on port 53 {; ::1; };
	allow-recursion {; ::1; };

> The problem is that doing it properly requires the site to fill in
> trusted hosts or nets, which means that it won't run properly out of
> the box for some configurations.

It's fine to require manual configuration for cases where the host will
provide services to others.  For cases where the host will provide
services to itself, it's more important for it to work without manual

--apb (Alan Barrett)