denying only nonlocal recursive queries in named.conf

[rioguia]

I am attempting to disable recursion from outside my network and provide authoritative name services exclusively for my own domains. At the same time, I want my server to provide recursive services for my local network xxx.xxx.x.x; xxx.xxx.x.y xxx.xxx.x.z;

Whenever I attempt this, I get no error from /usr/sbin/named-checkconf /path/to/named.conf. However, my name server refuses to answer queries (at least locally) and my log file shows this error:

Quote:

Mar 13 22:35:35 testy named[28667]: both "recursion no;" and "allow-recursion" active

Can someone help me find my probably obvious and simple error?

The relevant portion of my named.conf is below:

Code:

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        version "[SECURED]";
        recursion no;
         allow-recursion { 127.0.0.1; xxx.xxx.x.x; xxx.xxx.x.y xxx.xxx.x.z; };
          /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         listen-on port 53 {
         127.0.0.1; xxx.xxx.x.z; my.public.ip.address;

};
         // query-source address * port 53;
};
//
// a caching only nameserver config
//
// controls {
//      inet 127.0.0.1 allow { localhost; } keys { rndckey; };
// };





zone "." IN {
        type hint;
        file "named.ca";
};

[rioguia]

Quote:

Originally Posted by rioguia

Code:

options {
 
     #   recursion no;
         allow-recursion { 127.0.0.1; xxx.xxx.x.x; xxx.xxx.x.y xxx.xxx.x.z; };
         
 
};

I appear to have solved this problem by specifying the second directive (allow-recursion) and omitting the first. (recursion no.