Users Want *Seamless* Solutions, Not Patchwork (was Re: Users want solutions, not buzzwords)

Kevin Darcy kcd at daimlerchrysler.com
Sat Aug 4 01:10:13 UTC 2001


D. J. Bernstein wrote:

> Kevin Darcy writes:
> > "Forward first" falls back to *iterative* resolution. At this point
> > it's *no*different* than if it had reached the same point iteratively
> > via a delegation chain.
>
> Internal servers usually don't _have_ delegations from the parents. If
> you use ``forward first,'' and if the internal servers are temporarily
> unreachable, then BIND will follow the usual chain down from the roots
> through the parents, and the parents will reply NXDOMAIN, exactly as I
> said.

No, named just got a *referral*, remember? This is the "forwarder returns a
referral" scenario. So it has relevant delegation information from which to
work -- it doesn't need to "follow the usual chain down from the roots".
I have *verified* this behavior in BIND 8 and BIND 9. Your theories about how
BIND behaves in this situation are simply incorrect.

> > > Furthermore, BIND seems to blindly
> > > cache incorrect data within the internal domain from external servers.
> > I'm not sure what you're getting at here.
>
> If BIND asks the .com servers about example.com and receives the
> response
>
>    example.com NS www.local.chrysler.com
>    www.local.chrysler.com A 1.2.3.4
>
> then BIND will save the www.local.chrysler.com address, even if it's
> configured to ask your internal servers about *.local.chrysler.com.

Anyone who is concerned about such things should upgrade to BIND 9.2; it has
a "minimal-responses" feature which should moot the problem (since it would
cause the forwarder to omit the Additional Section in the case you showed).
In general, I'd recommend minimal-responses for any nameserver being used
exclusively by recursive clients, since recursive clients generally don't
have much use for Authority or Additional data. Why waste the server
resources and the packet space on data which isn't used?

Note that if worse comes to worst, the forwarder could perhaps be configured
as a slave for the internal "local.chrysler.com" zone. In BIND 9, this stops
the "leakage" because authoritative data is of higher credibility than
Additional data. (No need to remind everyone that BIND 8 was broken in this
respect -- that's ancient history).


- Kevin





More information about the bind-users mailing list