Is dig really recursive?

Fri Feb 9 01:18:01 UTC 2001

atom at suspicious.org wrote:

> > "dig" itself isn't recursive, but by default it sends recursive
> queries and
> > expects the nameserver it uses to recurse to get the answer to the
> query.
> >
> ------------------------------
> so if i'm digging at a non-recursive name server (ie: a.root) then i
> wont get a recursive answer.

Right. You'll just get a referral, unless the server happens to be
authoritative for the zone containing the name you queried. Note that if
you query a root or TLD server for an A record that just happens to be a
glue record, it will return it. But it didn't recurse to get the answer. It
already had the information because the glue record is in the ancestor
zone.

> > When you say "no information" do you mean dig displayed a valid header
> and
> > 0 answers, an NXDOMAIN response, or did dig just time out?
> ---------------------
> not a timeout.... like if you do this:
> $ dig @a.root-servers.net foo.bar
>
> you get back a good answer, with no info. (like the old song; "your
> prayers were answered, the answer is no")

Was it "no info" at all, or were there just 0 answers, no AA header flag,
and entries in the Authority Section (and maybe also the Additional
Section)?

That's a referral, and is exactly what I'd expect to see from a
non-recursive server that wasn't authoritative for the 4th level domain
containing the name your queried.

Basically, it's telling you "I dunno, go ask these other servers".

> so, i guess i should put my question another way...  if i want to find
> the name-servers for a 4th level domain, is there a way to do it in 1
> step?
>
> if i dig @a.root-servers.net, i might get the "final answer", or i might
> just get the name-servers for the tld, and then i have to work down from
> there.
>
> would i be better off using:
> $ nslookup -type=NS aloha.hawaii.hi.us  -a.root-servers.net
>
> (correct me if i'm wrong, please) i think that nslookup will use my
> name-server recursively, whereas dig wants the queried name-server to
> perform recursion.

No, nslookup isn't any different from dig in that regard. Both of them
issue recursive queries by default. Neither of them are smart enough to
actually do recursion itself. These are just lookup tools, after all, not
nameservers. Recursion is a nasty business, and slow too, if you don't have
a persistent cache in which to build up referral information. That's why
you almost always see recursion and caching paired together.

Of course, you can always do recursion *manually*. Start from the root and
follow the delegations all of the way down.

> if the queried name-server (a.root) is non-recusive,
> then i'm beat.

The root and TLD servers aren't there for general _ad_hoc_ querying; their
main purpose is to provide referrals to other nameservers. For
_ad_hoc_ querying, you should use a recursive server that you are permitted
to use. Doesn't your network provider make such a thing available? Most do.

> if that's the case, is there a down side to using nslookup?

I can't think of any situation -- including this one -- where nslookup
would be preferable to dig for DNS troubleshooting, when both are available
on a given platform.

- Kevin