Recursion off\forward

Kevin Darcy kcd at
Tue Nov 21 20:29:46 UTC 2006

1. Resolver sends a query gets only a CNAME in the response
2. Resolver looks up the target of the CNAME and it resolves to an A record

Sure, it's more *convenient* to get the A record in the first step. But 
any fully-featured (= iterative) resolver should be able to get the A 
record "the hard way" if it needs to.

Perhaps you don't understand that a real resolver follows a whole 
*algorithm* for resolving names, which might involve several different 
lookups. A lookup tool like dig or nslookup, however, in the absence of 
any special configuration, options, etc. just does individual lookups so 
it may only be showing you *part* of the overall resolution process, a 
piece of the puzzle, as it were. You could try the +trace option to dig, 
if you want to see something more like a full DNS-resolution sequence.

- Kevin

Nick Allum wrote:
> Would someone be able to explain what "An iterative resolver has to be
> able to deal with such responses" would mean. 
> What I am trying to do is turn off recusrion, so I just have an
> advertising dns server for my domains, however some of my CNAME records
> point to some external domains which are not resolving once I set
> recursion off. I am running bind 9.2.4
> Thanks
> Nick
> -----Original Message-----
> From: bind-users-bounce at [mailto:bind-users-bounce at] On
> Behalf Of Chris Thompson
> Sent: Wednesday, November 15, 2006 2:01 PM
> To: Bind Users Mailing List
> Subject: RE: Recursion off\forward
> On Nov 15 2006, Nick Allum wrote:
>> I had another question within regarding "recursion off"
>> If you have recursion off and you have a CNAME that point to some non 
>> authorative domain/A Record you get a negative response.
> You get a response with the answer section containing the CNAME but not
> the 
> A record, and an rcode of zero. I wouldn't call that "a negative
> response". An iterative resolver has to be able to deal with such
> responses.
>> Is there a way to work around this. Senario My server is the authority 
>> for and withing the record I have the following
>> Test	IN	CNAME 
>> For which "" I am not the authority for so when I try to 
>> lookup I get a negative response. Is there a way to work 
>> around this other than using the IP vs CNAME.
> It seems to me that you are still asking for "recursion sometimes"
> rather than "recursion no".

More information about the bind-users mailing list