Recursive Lookup?

Barry Margolin barmar at
Thu Nov 18 20:56:08 UTC 1999

In article <n6XY3.13$lS.607 at>,
Bob Helland <bhelland at> wrote:
>So if a DNS Admin says (and I'm going to quote him...)
>"...I run DNS for one of my customers.  AT&T turned off recursive, and they
>were down three days..."
>He's basically saying that his customer uses him for DNS resolution, and he
>would then query the auth servers (I'm assuming AT&T).  If they '...turned
>off recursive...'  What exactly would that mean?  They wouldn't allow him to
>query their auth servers?  Or what??

It means that they configured their authoritative servers so that they
won't perform recursive queries on behalf of queries that they received.

Typically, a large ISP will have one set of servers that customers are
allowed to use in their resolver configurations, and these servers have
recursion enabled.  They have another set of servers that are used as
authoritative (master or slave) servers for customer domains, and they do
perform recursion (they expect to be queried by the user's recursive

For instance, in GTE Internetworking we have DNSAUTH1.SYS.GTEI.NET,
DNSAUTH2.SYS.GTEI.NET, and DNSAUTH3.SYS.GTEI.NET as authoritative servers,
and they don't perform recursion.  We also have VNSC-PRI.SYS.GTEI.NET,
VNSC-BAK.SYS.GTEI.NET, and VNSC-LC.SYS.GTEI.NET, which are caching-only
servers that our customers should use, and they perform recursion.

There are several reasons for separating the two functions.  First,
deployment needs are different: caching servers need to be close to
customer sites for best performance; we used to give different caching
server addresses to customers in different parts of the country, but now we
make use of "anycast" technology to replicate the caching servers
throughout our backbone and automatically direct customers to the closest
one (see RFC 1546).  Second, users are less likely to get obsolete
information by splitting the services; if a customer updates the
registration of their domain to remove our servers, but doesn't tell us to
remove the domain from our server configurations, customers would continue
to see the old records if they were using our authoritative servers as
their resolvers.  Third, it may be useful to configure server hardware
differently for the two roles.

Barry Margolin, barmar at
GTE Internetworking, Powered by BBN, Burlington, MA
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list