BIND 9 with views recursion issues

2 msg	Recursion no
5 msg	Public DNS with NAT IP
5 msg	9.3.2 recursive only for local host
1 msg	Test of BIND Configuration
1 msg	Bind Logging - using a pipe
2 msg	Bind not answering to extern?
3 msg	Is there a way to exclude a RR during a zone tr...
2 msg	FC6 DNS Simple Setup help
1 msg	Nameserver not resolving working domain
1 msg	migrating from djb tinydns (qmail suite) to bin...
3 msg	'CNAME and other data' problem
11 msg	Difference between secondary and slave dns servers

BIND 9 with views recursion issues
\ FredrichManey (14 Nov 2006)
. \ FredrichManey (14 Nov 2006)
. \ Jeffrey Reasoner (14 Nov 2006)
. \ FredrichManey (14 Nov 2006)
. . \ Jeffrey Reasoner (14 Nov 2006)
. \ Mark Andrews (14 Nov 2006)
. \ FredrichManey (15 Nov 2006)
. \ Barry Margolin (15 Nov 2006)

3 msg	Can't create & delegate subdomains on inter...
3 msg	bind9 and view
3 msg	9.2.0 cache cleaner: dns_dbiterator_first() fai...
13 msg	Dynamic DNS
3 msg	recursive-clients soft limit exceeded, aborting...
6 msg	French characters in bind zone
1 msg	Zones expiring in BIND 9

Subject:	BIND 9 with views recursion issues
Group:	Bind-users
From:	FredrichManey
Date:	14 Nov 2006

All,

I'm experiencing an extremely frustrating issue involving recursion in
a new BIND 9 installation.

Environment:
2 new Solaris 9 servers running bind 9.3.2 built from source. They are
configure with two views - internal and external - and are in a dual
master configuration. They are on RFC 1918 addresses behind a NAT
firewall and should only be accessible from the internal network (the
external view is being built with the intention of these machines
becoming 'hidden masters' for the public name servers on the outside of
the firewall).

Problem:
When trying to resolve some specific zones that are not in the cache, I
get server timeouts and non-existent zone responses. This does not
happen for all non-cached zone, but it does happen for all look ups of
the affected zones (tested using dig and nslookup, both locally and
from remote clients).

Here's the relevant parts of my named.conf file:

// BIND Option Statements
options {
version "You have been logged and reported.";
// All paths in this file are relative to this directory.
directory "/named/";
listen-on port 53 { any; };
listen-on-v6 { none; };
pid-file "var/named.pid";
statistics-file "var/statistics";
memstatistics-file "var/memstats";
dump-file "var/named.dump";
zone-statistics yes;
auth-nxdomain no; # conform to RFC1035
};

// Access Control Lists
acl rfc_1918 { 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
acl private_dns { 10.3.8.100; 10.3.8.101; };
acl internal_dns { 10.3.8.100; 10.3.8.101; };
acl external_dns { 74.128.1.70; 74.128.1.71; };

// snip logging configuration

// internal view for internal hosts on inside network and dmz
view "internal" {
// any host that doesn't match here falls through to the external
view
match-clients { "rfc_1918"; };
allow-query { "rfc_1918"; };
allow-recursion { "rfc_1918"; };
allow-transfer { "internal_dns"; };
notify-source 10.3.8.100 port 53;
query-source address 10.3.8.100 port 53;
transfer-source 10.3.8.100 port 53;

zone "." {
type hint;
file "db/internal/named.root";
}
// snip internal view master and slave zone configurations;
};

// external view for external hosts and networks on the internet
view "external" {
// any host that didn't match the internal view above
match-clients { any; };
allow-query { any; };
allow-recursion { none; }; # recursion disabled for external
clients
allow-transfer { "external_dns"; };
notify-source 10.3.8.100 port 53;
query-source address 10.3.8.100 port 53;
transfer-source 10.3.8.100 port 53;

zone "." {
type hint;
file "db/external/named.root";
};
// snip external view master and slave zone configurations
};

Any help would be greatly appreciated. This is impacting production and
if I don't get resolved soon I'm going to be forced to go back Bind 8
without views because "bind 9 doesn't work and we are only going there
because it's the new thing".

fpsm