Lump answers

Barry Margolin barmar at
Mon Nov 29 21:45:51 UTC 1999

In article <525459408.943911166071.JavaMail.qtran at hutch.East.Sun.COM>,
 <Christine.Tran at> wrote:
>Mark > A root server will forward any recursive queries asked of it for
>Mark > which it does not already have an answer.  This works even if the
>Mark > forwarder has to ask the root for information as the forwarder will
>Mark > make a non-recursive query to the root server.
>Cricket > But internal root name servers, which are what Christine is
>Cricket > describing, only know about a small number of apex zones.
>Cricket > If you ask an internal root name server about a zone whose
>Cricket > ancestor doesn't appear in the root zone, you get NXDOMAIN.
>So according to Cricket's example of an internal root server for
> and a forwarder, recursive query for will get a reply
>of NXDOMAIN from the root server right away because the root server
>doesn't know any other zone except And since it thinks it
>knows everything about the name space, that answer is final. 
>But according to Mark, recursive query for will get forwarded to
>the forwarder because it does not have a ready answer.  Forwarder issues
>iterative query back to root server, gets an NXDOMAIN, then passes that
>answer back to root server's original query.  Same answer, but in a
>roundabout way.  Did I understand you both correctly?  You are saying
>different things here.  If the forwarder sits on the cusp of the DMZ, it
>will know and use the real roots, why would it use the fake root to query
>for to get the NXDOMAIN.  Ok, which is it?

Mark is wrong and Cricket is right.  A server only forwards queries if it's
not authoritative for the zone that contains the name.  A root server is
authoritative for all domains that are not explicitly delegated.  As of
BIND 8.2 you can also make specific exceptions using "type forward" zones
in the root server's named.conf file.

Barry Margolin, barmar at
GTE Internetworking, Powered by BBN, Burlington, MA
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list