so many "denied recursion for query from" messages for CNAME domain,why?

Kevin Darcy kcd at chrysler.com
Tue Oct 7 01:22:09 UTC 2008


MontyRee wrote:
> Hello, all.
>
>
> I have operated bind 8.x for authorative for some domain.
> the domain is CNAME like this at that dns server
>
>
> www.test.example.com         IN  CNAME        www.xyz.test.example.com.
> www.xyz.test.example.com.  IN      A             192.168.151.234
>
>
> But I can see lots of messages like below(about 3~5% of the total query)
>
>
> Oct  6 19:40:26 ns named[29298]: denied recursion for query from [121.xx.xx.x].33244 for www.test.example.com IN
>
>
> and when I test using dig, above  "denied recursion for query from " messages occur 
> only that doesn't answer using A record(only CNAME) 
>
>
> a)
> www.test.example.com         IN  CNAME        www.xyz.test.example.com.
> www.xyz.test.example.com.  IN      A             192.168.151.234
>
>
> b)
> www.test.example.com         IN  CNAME        www.xyz.test.example.com.
>
>
> I would like to know when the dns answers a(95%) or b(5%)?
>   
If www.xyz.test.example.com happens to be in cache, then no recursion is 
necessary to fetch it. So your "allow-recursion" statements don't 
prevent the full answer from being returned.

If www.xyz.test.example.com is not in cache, then recursion would be 
necessary to fetch the answer. If your allow-recursion settings don't 
allow the client to recurse, then only the CNAME is returned, and you 
get the error in your logs.

Note that later versions of BIND 9 -- which you should be running anyway 
because BIND 8 is end-of-life -- have finer-grained control over client 
access to cached data. See "allow-query-cache".
> and the client get an answer b), what would be happen?
> is there any problem or not?
>   
If it's a "stub resolver" doing the asking, then if it gets the 
CNAME-only answer, that will effectively be considered a query failure. 
Generally, only "leaf node" devices run stub resolvers (e.g. desktop, 
laptop or mobile end-user computers, or perhaps some very-low-end 
servers that are considered too weak to run their own local caching 
resolvers).

If it's a full resolver asking your authoritative server about the name, 
then it should be smart enough to take the CNAME and continue resolution 
from that point.

- Kevin


More information about the bind-users mailing list