[Question] Question about recursive queries in BIND9

Barry Margolin barmar at alum.mit.edu
Tue Dec 20 20:05:10 UTC 2005 

In article <do8kd6$4pj$1 at sf1.isc.org>,
 Hideshi Enokihara <Hideshi.Enokihara at jp.yokogawa.com> wrote:

> Hi all,
> 
> I have a question regarding recursion behavior of BIND9.
> 
> For example, I assume the following network. 
> 
> ----------------
> 
>                            org domain             example.org domain
>         AP Server1         DNS Server2            DNS Server3
>           |A.example.org      |NS2.example.org     |NS3.example.org
>           |192.168.1.10       |                    |
> Net-y   --+--------+----------+--------------------+--
>                    |                                                          
>                               
>                    |
>                    |
>                  Router
>                    |
>                    |
>                    |
> Net-z   --+--------+----------+--- 
>           |                   |         
>           |                   |
>         DNS Server1 (BIND9)  DNS Client1
> 
> ------------------
> 
> In this network, I ran follwing steps.
> 
> Pre-sequence
> A. DNS Client1 send the query(QNAME=A.example.org, QTYPE=A) to DNS 
> Server2(Authoritative server for org domain).
> B. DNS Server2 send the query to DNS Server3(Authoritative server for 
> example.org domain).

Are you sure about this?  None of the authoritative servers for the ORG 
domain that I was able to query (some of them didn't respond when I was 
testing) have recursion enabled.

> C. DNS Server3 send the response(ANSWER NAME=A.example.org, ANSWER 
> ADDRESS=192.168.1.10) to DNS Server2.
> D. DNS Server2 send the response(ANSWER NAME=A.example.org, ANSWER 
> ADDRESS=192.168.1.10) to DNS Client1.
> 
> Note:At these steps, DNS Server2 caches the answer for QNAME=A.example.org, 
> QTYPE=A.  
> 
> Sequense
> 1. DNS Client1 send the query(QNAME=A.example.org, QTYPE=A) to DNS 
> Server1(BIND9). 
> 2. DNS Server1(BIND9) send the query to DNS Server2(Authoritative server for 
> org domain).
> 3. DNS Server2 send the response(ANSWER NAME=A.example.org, ANSWER 
> ADDRESS=192.168.1.10) from the cache to DNS Server1(BIND9).
> 
> I expected that BIND9 behave like 4A, but actually, BIND9 behave like 4B.
> 
> 4A. DNS Server1(BIND9) send the response(ANSWER NAME=A.example.org, ANSWER 
> ADDRESS=192.168.1.10) to Client1.
> 4B. DNS send the query to DNS Server3(Authoritative server for example.org 
> domain).

....

> I have a questin about step4A,4B.
> Why does not DNS Server1(BIND9) send the response(4A) to DNS Client1?
> What is the reason that DNS Server1(BIND9) does not use/trust DNS Server2's 
> cache information?

Did it log a "Lame server" message?  When it's asking a server that's 
supposed to be authoritative, it expects an authoritative answer or a 
referral, not a non-authoritative answer.

> Is this behavior follow the RFC?
> #If BIND9 does not use/trust the other DNS server's cache information, as a 
> result, a lot of traffic will be caused in network.
> 
> Please tell me your opinions.

When caching servers query authoritative servers, they don't normally 
send recursive queries.  And top-level authoritative servers don't 
usually have recursion enabled.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list