Users Want *Seamless* Solutions, Not Patchwork (was Re: Users want solutions, not buzzwords)

D. J. Bernstein 75628121832146-bind at sublist.cr.yp.to
Sat Aug 4 03:35:39 UTC 2001


Kevin Darcy writes:
> No, named just got a *referral*, remember?

No, it didn't. I'm not sure whether your continued lack of understanding
comes from a failure to read or a failure to think, so I'll spell out
the situation in excruciating detail:

   * You have an internal domain, local.chrysler.com, on an internal
     server. The chrysler.com servers don't know anything about this
     domain, and they don't have delegations to the internal server.

   * You tell your BIND cache to forward local.chrysler.com to the
     internal server. You make the mistake of using ``forward first.''

   * You start BIND. It looks up the root servers but otherwise has an
     empty cache.

   * Your mail server asks for the address of www.local.chrysler.com.
     BIND tries contacting the internal server. There is no response.
     (The server's network connection is temporarily overloaded.)

   * Because you made the mistake of using ``forward first,'' BIND now
     contacts the root servers, then the .com servers, and finally the
     chrysler.com servers. The chrysler.com servers say that the domain
     www.local.chrysler.com does not exist.

   * BIND returns this information to your mail server. The mail server
     bounces the mail.

You are wrong when you claim that ``forward first'' is a safe way to
handle internal domains.

  [ BIND accepting local.chrysler.com information from .com servers ]
> Anyone who is concerned about such things should upgrade to BIND 9.2;
> it has a "minimal-responses" feature which should moot the problem

You are continuing to make a fool of yourself. Minimal responses (which,
btw, dnscache has had since 1999) are from caches to clients. They have
no relevance to your internal names being subverted by the .com servers.

> Note that if worse comes to worst, the forwarder could perhaps be
> configured as a slave for the internal "local.chrysler.com" zone.

For large sites, with large internal zones and many internal caches,
that's unusably slow.

---Dan


More information about the bind-users mailing list