Users Want *Seamless* Solutions, Not Patchwork (was Re: Users want solutions, not buzzwords)
D. J. Bernstein
75628121832146-bind at sublist.cr.yp.to
Sat Aug 4 03:35:39 UTC 2001
Kevin Darcy writes:
> No, named just got a *referral*, remember?
No, it didn't. I'm not sure whether your continued lack of understanding
comes from a failure to read or a failure to think, so I'll spell out
the situation in excruciating detail:
* You have an internal domain, local.chrysler.com, on an internal
server. The chrysler.com servers don't know anything about this
domain, and they don't have delegations to the internal server.
* You tell your BIND cache to forward local.chrysler.com to the
internal server. You make the mistake of using ``forward first.''
* You start BIND. It looks up the root servers but otherwise has an
empty cache.
* Your mail server asks for the address of www.local.chrysler.com.
BIND tries contacting the internal server. There is no response.
(The server's network connection is temporarily overloaded.)
* Because you made the mistake of using ``forward first,'' BIND now
contacts the root servers, then the .com servers, and finally the
chrysler.com servers. The chrysler.com servers say that the domain
www.local.chrysler.com does not exist.
* BIND returns this information to your mail server. The mail server
bounces the mail.
You are wrong when you claim that ``forward first'' is a safe way to
handle internal domains.
[ BIND accepting local.chrysler.com information from .com servers ]
> Anyone who is concerned about such things should upgrade to BIND 9.2;
> it has a "minimal-responses" feature which should moot the problem
You are continuing to make a fool of yourself. Minimal responses (which,
btw, dnscache has had since 1999) are from caches to clients. They have
no relevance to your internal names being subverted by the .com servers.
> Note that if worse comes to worst, the forwarder could perhaps be
> configured as a slave for the internal "local.chrysler.com" zone.
For large sites, with large internal zones and many internal caches,
that's unusably slow.
---Dan
More information about the bind-users
mailing list