'dig -t any ...' question

Ladislav Vobr lvobr at ies.etisalat.ae
Tue Jun 15 04:00:49 UTC 2004 

> I did notice a change related to that when we upgraded our caching 
> servers from BIND 8 to 9.  Prior to that, if I asked for the A record of 
> a nameserver, I would often get the address from the glue in the parent 
> zone.  After the upgrade, it seemed to go to the authoritative server 
> for this -- if all of the zone's servers were down, the query would hang 
> and eventually return a SERVFAIL error.  The only way to get the cached 
> glue record was to query without the RD flag set.
> 
barry, the change is there between 8.3.4 and 8.4.1, 8.4.1 returns is the 
same way as 9 and higher, 8.3.4 returns it as a *answer*, I think this 
will be very important to distinguish once it comes to dnssec. What is 
glue and what is not, since the glue is not signed.

> However, I think ANY queries would still return whatever happened to be 
> in the cache, no matter how it was learned.

if it is cached with *glue* credibility it will not return it to ra 
clients. This behavious as you describe is nightmare, it keeps retrying 
to all nameservers if all unreachable causing incredible traffic to 
remote servers and the network as well, I am sometimes seeing 
nameservers querying me with 1000(one thousand)req/s with the same 
request, this can really spoil lot's of things, why would ever caching 
nameserver has to do such a thing, does it really help to do it this 
way....?

how can we say it is perfectly fine to answer the recursive client with 
non-authoritative data, when nothing was cached before this request? I 
feel recursion means, if it is not available, recurse up to the source 
(auth servers) and get it, not from . or 2ndlevel or 3level or 4level, 
we can not stop randomly somelevel just because some binds think it was 
enough steps(parent 8.3.4 thinks it is enough, parent 8.4.1 thinks try 
to go to next level... it seems really very consistent:-), we always 
should go up to the source *provided it was not cached before*. How will 
this work in dnssec, we just answer to ra client with *glue* and tell 
him be happy for it:-)?

Ladislav

More information about the bind-users mailing list