resolver search order question

Gregory Hicks ghicks at cadence.com
Thu May 25 20:54:34 UTC 2006


> Subject: Re: resolver search order question
> From: "Norman P. B. Joseph" <joseph at ctc.com>
> To: bind-users at isc.org
> Date: Thu, 25 May 2006 16:47:26 -0400
> 
> But I wasn't asking about multiple "nameserver" directives in
> resolv.conf, I was asking about multiple domains in a "search"
> directive.
> 
> You're saying getting a NODATA response for "aj-mail1.ctc.com" (tagging
> on the first domain in the search directive) would cause the resolver to
> return that as a definitive answer and to not consult other nameservers.
> I understand that, but that wasn't my question.  My question was, "Why
> doesn't the resolver tag on the next domain name in the search directive
> and search again until found or no more domains are left to search?"
> Isn't that what the "search" directive is for?

(Note:  *I THINK* ...  I may be wrong but this is what experience has
taught.) I think that this may depend on the ORDER that the "domain"
and "search" directives are presented in /etc/resolv.conf.  Whichever
one is last is the one that has precedence.

domain example.com
search example1.com subdomain.example.com

will use example1.com and subdomain.example.com as the names to tack on
non-FQDN names.  example.com is ignored.  (Use FQDN!)

while:

search example1.com subdomain.example.com
domain example.com

Only uses example.com for the non-FQDN names...  example1.com and 
subdomain.example.com are ignored.  (Again, use FQDN!)

Regards,
Gregory Hicks
> 
> Sorry if my original post wasn't clear.
> 
> -norm
> 
> 
> 
> On Thu, 2006-05-25 at 16:29 -0400, Kevin Darcy wrote:
> > Right, the purpose of having multiple resolvers in the resolver list is 
> > to enhance availability, not to accommodate disparate namespaces or get 
> > a "second opinion" on lookups. All resolvers in the resolver list are 
> > assumed to have the same data, temporary replication delays 
> > notwithstanding. So, as soon as an answer is received from one resolver, 
> > even if it's a SERVFAIL, NXDOMAIN, NODATA (a pseudo-RCODE meaning 
> > NOERROR and an empty Answer Section, as you'd be getting here for 
> > aj-mail1.ctc.com), it's treated as definitive and the other resolvers 
> > are not consulted.
> > 
> >                                                                          
> >                                        - Kevin
> > 
> > Norman P. B. Joseph wrote:
> > 
> > >Is this expected resolver behavior?  It doesn't fit my understanding,
> > >but maybe my understanding is at fault.  The clients and servers in this
> > >scenario are all BIND 9.2.4 under RHEL.
> > >
> > >I have the following search order in a client's resolver configuration:
> > >
> > >        search ctc.com ctcgsc.org ad.ctcgsc.org
> > >
> > >and I have the following two RRs in our DNS space:
> > >
> > >        aj-mail1.ctc.com.	MX	0 aj-mail1.ad.ctcgsc.org.
> > >        aj-mail1.ad.ctcgsc.org.	A	10.x.x.x
> > >
> > >If I look for an A record for an unqualified "aj-mail1" the query fails,
> > >but if I fully qualify the name in the query it succeeds.  I would have
> > >expected the resolver to append the domains in the "search" directive in
> > >order to the query name until it found "aj-mail1.ad.ctcgsc.org".
> > >
> > >I'm guessing that the resolver discovers the label "aj-mail1.ctc.com"
> > >first, because of the order of domains in the "search" directive, but
> > >since it is an MX record and not an A record the search fails, but the
> > >resolver doesn't continue with the other search domains because of the
> > >existence of the label.  Or something like that.
> > >
> > >What's the correct behavior?
> > >
> > >-norm
> > >
> > >
> > >
> > >
> > >  
> > >
> > 
> > 
> > 
> -- 
>  Norman Joseph, System Engineer             joseph at ctc.com        IC|XC
>  Concurrent Technologies Corporation         814/269.2633         --+--
>  Information Systems Management Office (ISMO)                     NI|KA
>   --=: It's not the voting that's democracy, it's the counting. :=--
> 
> 
> 

-------------------------------------------------------------------
Gregory Hicks                        | Principal Systems Engineer
Cadence Design Systems               | Direct:   408.576.3609
555 River Oaks Pkwy M/S 6B1          | Fax:      408.894.3400
San Jose, CA 95134                   | Internet: ghicks at cadence.com

I am perfectly capable of learning from my mistakes.  I will surely
learn a great deal today.

"A democracy is a sheep and two wolves deciding on what to have for
lunch.  Freedom is a well armed sheep contesting the results of the
decision." - Benjamin Franklin

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton




More information about the bind-users mailing list