Problem with allow-query-cache and additional-from-cache?

Peter Collinson pc at hillside.co.uk
Wed Jul 16 06:38:00 UTC 2008 

I've compiled and installed
bind-9.5.0-28.P1.fc8.src.rpm
on a couple machines running old Fedoras. I use these machines as  
secondary
nameservers - well their primary task is to do something else, and I  
am just
using their named to secondary my main name server.

The named.conf looks like:

options {
	....
       allow-query  { any; };
       allow-recursion { trusted; };
       allow-transfer  { trusted; };
       allow-query-cache { trusted; };
	.....
       additional-from-cache yes;
};

I've added the additional-from-cache here to show that it's on by  
default.

I am getting  at lot of log lines like...

...............query (cache) 'externaldomain.co.uk/A/IN' denied

which are triggered by MX records in a domain for which I am  
authoritative, .i.e
authoritativedomain.co.uk contains:

@	IN MX 10 externaldomain.co.uk

I notice that from 'outside' the named is no longer returning A  
records for
externaldomain.co.uk when I lookup authoritativedomain.co.uk with an  
MX lookup.
I can trigger the error by doing an MX lookup for  
authoritativedomain.co.uk
from elsewhere. So it looks as additional-from-cache is not working
the way I would expect.

My reading from the documentation is that I should expect to be  
returning the A
records from my cache for external domains referenced in MX records when
additional-from-cache is 'yes'.

So - question 1 - should I be worried about this? Will all external  
machines
take the rejection and perform their own lookup of the domains - and  
the fix
is to stop logging and worrying about this?

and - question 2 - is this a bug - is my expectation correct - is
additional-from-cache broken?

and - question 3 - if I need to be worried, what can I do about it? It  
seems
that pointing the MX record at name in the authoritative.co.uk domain  
and
using CNAME to point to the real machine doesn't help. I guess I can  
replace
the machine names in the MX records by IP addresses, but this seems to  
defeat
the purpose of using names in the first place.


Thanks
_____________________________________________
Peter Collinson

More information about the bind-users mailing list