The list of fetches at the end of 'rndc recursing' output is very poorly explained in the ARM - what does 'allowed' mean?
In the ARM, the output from rndc option recursing is described thus:
This command dumps the list of queries named is currently recursing on, and the list of domains to which iterative queries are currently being sent. The second list includes the number of fetches currently active for the given domain, and how many have been passed or dropped because of the fetches-per-zone option.
This is an example of what is being output in the second list:
name.example.com.: 1 active (0 spilled, 1 allowed)
The counters here need a better explanation than the one given in the ARM. Specifically, the word 'allowed' is ambiguous. What it actually means is: "for the lifetime of this entry, 1 fetch has not been blocked by any per-domain fetch limits". What it does not mean (but could easily be misinterpreted thus) is 'only 1 concurrent fetch is permitted'. This is an alarming thing to see on a server that has fetch-limits entirely disabled.
The other two values are more easily understood - 'active' is the number of fetches currently in progress (that is, queries from a resolver to other servers); 'spilled' is a count of those that have been dropped (or SERVFAILed) because of fetches-per-zone.
Please could the author of this dump list provide some more information about the values, and what they represent (in relation to fetches and the structures around those for 'counting' for fetches-per-zone, which happens anyway, even if fetches-per-zone is disabled). An update to the ARM would be ideal, but also in the interim, we could add a small FAQ to kb.isc.org as well as update the main KB articles on fetch-limits.