resolver's behavior
Kevin Darcy
kcd at daimlerchrysler.com
Tue Apr 25 22:24:16 UTC 2006
Frank Y.F. Luo wrote:
>Let me ask you guys a similar question:
>
>a NS only allows authoritative query (that means recursive query turned
>off).
>
>What if I configure a client ( Windows, Mac OS, Solaris, ....) to use this
>NS and do a non-authoritative query, what will happen?
>
There's no such thing as a "non-authoritative query". I think you mean
non-recursive query.
When you query a nameserver/resolver non-recursively, then the only data
you'll get as an answer will be a) data from zones for which the
nameserver is authoritative, and/or b) data which happens to be in the
resolver cache from an earlier query for which recursion was performed.
Note that if recursion is turned off *completely* for the target
instance, i.e. it does not perform any kind of resolver function, there
will be nothing in its cache, so only the (a) category (authoritative
data) applies.
>I know the first query will be "qr" - recursive preferred,
>
Um, no, QR means "query response". All DNS responses have QR set. That
flag distinguishes a query from a query response and has nothing to do
with recursion _per_se_. RD (recursion desired) is how recursion gets
requested from the client side, and RA (recursion available) in the
response is how the server side signals its willingness or unwillingness
to comply with the request for recursion.
>but since recursive query turned
>off, the NS will return the root NS will be returned to the client.
>
The root NS in the Authority Section basically means "I don't know the
answer, I'm not going to recurse for the answer, go figure it out
yourself, and here's some root-NS information to get you started, good
luck".
>What is
>supposed to happen at this time to client? Will client follow that to query
>root NS?
>
If the client is a dumb "stub resolver", then a root-NS referral
basically results in the query failing.
If the client has some iterative smarts, it probably wouldn't have made
that query in the first place to a nameserver that is/was not
authoritative for the zone. In the absence of some sort of explicit
"forwarding" or "stub" configuration, it would only send queries
(non-recursive) to a particular nameserver if it believed, based on
following the delegation chain, that the nameserver was authoritative
for the relevant zone, or could give a referral that would lead the
resolver closer to a definitive answer. "Lame" delegation, a
configuration error where a delegation record points to a nameserver
which is not in fact authoritative for a particular zone, is of course
possible, but it's the exception, not the rule.
>Is there any difference in different resolver implementation as you know?
>
Well, yes, the major distinction is between a "stub" resolver and a
"full-service" resolver that is capable of iterative resolution and/or
implements caching. Note that named from the BIND distribution can
function as either a "full-service" resolver or an authoritative
nameserver, or both, if it is configured to perform both roles
simultaneously. Other DNS packages, e.g. djbdns, break out those
functions into separate programs.
What is it, exactly, that you are trying to accomplish, Frank? If you're
just trying to educate yourself, there are books and other materials
that you should probably be reading, e.g. the _DNS_and_BIND_ book from
O'Reilly. If you have a specific problem that you are trying to solve,
then please tell us what it is.
- Kevin
More information about the bind-users
mailing list