Root server cannot be a forwarder?

Kevin Darcy kcd at daimlerchrysler.com
Thu Oct 19 22:39:52 UTC 2006 

yinzhang57 at yahoo.com wrote:
> Peter Dambier wrote:
>   
>> yinzhang57 at yahoo.com wrote:
>>     
>>> Heard that on a BIND root server, recursion is disabled and it will not
>>> do recursion, therefore cannot be a forwarder?
>>>
>>>       
>> It depends on what you want to do.
>>
>> E.g. my own BIND 9.4.0b2 is my local resolver.
>>
>> I believe that domains I am authoritative for, cannot get cache poisoned.
>> That is why I am slaving every important domain I can.
>>
>> It slaves the root too.
>>
>> Why?
>>
>> To prevent bogus queries like localhost, local, or 192.168... from
>> escaping my network. I am authoritative for those domains.
>>
>> Some poor people on backwater domains have only a single nameserver.
>> Sometimes those domains get lost. I have a local copy and I am
>> authoritative. I need not even query for those domains.
>>
>> The root zone is just a very little domain compared to com, net or org.
>> I never need to query the root-servers.
>>
>> I rarely need to axfr a zone. I never query those zones. So I spare
>> them a lot of traffic.
>>
>> As the root is already loaded I very often drop one query level and
>> my answers are faster.
>>
>> Zones I need are present locally. No query to the outside at all.
>>
>> But my server is not for the public. It serves locally only.
>>
>> If I was running a root-server for the public, I would run nothing
>> but the root. I definitely would switch recursion off because I
>> am not a resolver.
>>
>> Kind regards
>> Peter and Karin Dambier
>>
>>
>> --
>> Peter and Karin Dambier
>> Cesidian Root - Radice Cesidiana
>> Von-Erthal-Strasse 4
>> D-64646 Heppenheim
>> +49(6252)671-788 (Telekom)
>> +49(6252)750-308 (VoIP: sipgate.de)
>> mail: peter at peter-dambier.de
>> mail: peter at echnaton.serveftp.com
>> http://iason.site.voila.fr/
>> https://sourceforge.net/projects/iason/
>> http://www.cesidianroot.com/
>>     
>
> Is a BIND root server by default disabled recursion, so cannot be a
> forwarder?
>   
Why do you think that a root nameserver acts fundamentally different 
than a non-root nameserver? In named.conf terms, a master or slave 
definition for the root zone is really no different than a master or 
slave definition for any other zone.

So, again, the answer is: being a root nameserver does not cause BIND to 
disable recursion. If you want to turn off recursion, you need to do 
that explicitly.
> A Windows root server by default disable to forward, to be a forwarding
> server.  A BIND root server will still be able to act as a forwarding
> server?
>   
Yes it can act as a forwarding server, subject to the caveats I gave in 
my previous message, i.e. whatever it's forwarding must be either 
delegated from the root zone, or have an appropriate zone definition at 
a lower level of the namespace tree. A root server cannot be a "general" 
forwarder, i.e. forward whatever it can't find, because anything that 
doesn't fall into one of the two categories above will be considered to 
be in the root zone, and a root nameserver will answer definitively from 
the root zone, without forwarding. This is just a special case of the 
general rule that a BIND nameserver will never forward queries which are 
in a zone for which it is authoritative.

                                                                         
                                 - Kevin

More information about the bind-users mailing list