allow-recursion + FreeBSD + bind 8.2.2patch7

Thu Dec 7 20:21:09 UTC 2000

Hi!

Well yes i asked about the same A record several times and the TTL were
1day, but after some more testing i noticed that made a "idiot" misstake
when querying the BSD/OS and Linux box ( didnt specify which nameserver to
query , so on the local server box it used what was in resolv.conf which
wasnt the local server itself *duhh*)

But anyway i were pretty sure that i had seen this before ( when using
allow-recursion the non-allowed host didnt get back the A record even when
it was cached on the dns ) but i must have made a similar mistake back
then.

Anyhow wouldnt the preferd behavior be that it didnt answer even if the
record was cached? because now a non-allowed host could get a answer back
depending on that it was queryed by a allowed one previously. 

Best regards
Michael

On Wed, 6 Dec 2000, Kevin Darcy wrote:

> 
> It is normal for a nameserver to answer from cached information, even if it
> is not honoring recursion for the client because of an
> "allow-recursion" restriction. I interpret your post to mean that you ran
> exactly the same series of queries (two consecutive A record queries for the
> same) with the same timing, to 4 different identically-configured BIND 8
> nameservers and received different results. I have no ready explanation for
> that. Assuming that your testing method is as I have described it, then all
> 4 servers should have answered the second query from cache. Are you sure the
> timing was the same for each test? If the TTL (time-to-live) setting on the
> record was small, then possibly it might have expired from cache in between
> queries.
> 
> If you really want to dig deeper into this, try dumping the nameserver's
> databases after the first query (using "ndc dumpdb" or an INT signal to the
> named process) and verifying that there is a cache entry, and what its
> TTL is. If all of the servers have a cache entry with a reasonably-long TTL,
> then I can't imagine why any of them *wouldn't* answer from their cache. You
> should probably also scan the logs just to make sure that nothing unusual
> was occurring at the time.
> 
> 
> - Kevin
> 
> Micke Johansson wrote:
> 
> > Hi!
> >
> > I have notice a litte strange behavior with FreeBSD + Bind 8.2.2patch7 (
> > same thing with p5 ) and the "allow-recursion" fuction.
> >
> > Example :
> >
> > TestServer1 running FreeBSD 3.3-stable
> > TestServer2 running FreeBSD 3.5-stable
> > TestServer3 running BSD/OS 4.1
> > TestServer4 running Linux
> >
> > All running bind 8.2.2patch7 with the same config files, and just started
> > so nothing is really been cached yet.
> >
> > When from a host that isnt allowed to ask a recursive query , query for
> > example www.foo.bar i only get the NS for the root server ( which is
> > correct )
> >
> > Then asking about www.foo.bar from a allowed host will return in a A
> > record ( or whatever )
> >
> > And now the diffrens in the behavior comes :
> >
> > When again asking from the host that isnt allowed on :
> >
> > TestServer1 and TestServer2 will answer with the A record ( or whatever )
> > that it now have cached. (not correct behavior(?))
> >
> > TestServer3 and TestServer4 will only answer with the root nameservers
> > (correct behavior(?))
> >
> > Anyone got a clue on why Bind under FreeBSD acts this way? and are there
> > any other OS=B4s that has the same behavior.
> 
> 
> 
> 
> 