name caching and forwarding
Robert Moskowitz
rgm at htt-consult.com
Tue Feb 26 19:22:09 UTC 2013
hey, Kevin, hope you are hanging well back at the old stomping ground!
On 02/26/2013 01:42 PM, Kevin Darcy wrote:
> On 2/26/2013 11:39 AM, Robert Moskowitz wrote:
>>
>> On 02/26/2013 11:14 AM, Phil Mayers wrote:
>>> On 26/02/13 16:07, Robert Moskowitz wrote:
>>>
>>>> And I am having challenges with the forward option. It reads that
>>>> 'forward only' will always ask the forwarder about the query and seems
>>>> to defeat caching? And 'forward first' only looks in cache after a
>>>> forward fails? This does not sound right and I am missing
>>>> something in
>>>> the documentation; like forwarding ONLY applies IF the query is NOT in
>>>> cache?
>>>
>>> No, you've misunderstood.
>>>
>>>
>>> "forward first" means "try the forwarders, and if you don't get a
>>> reply, try the query yourself starting from the root"
>>>
>>> "forward only" means "only ever try the forwarders"
>>>
>>> "forward" replies are always cached for the relevant TTL.
>>
>> OK. This is what I was hoping it meant, but I was not good at
>> expressing it.
> To clarify even further, caching is *always* in effect, no matter what
> kind of non-authoritative zone you define (forward, stub, etc.) or
> even if you have no explicit zone definition at all and simply follow
> the delegation chain to the data, as Phil described.
>
> Think of "forward first" as "opportunistic", in the sense that you'll
> try to get the data via forwarding, but if that doesn't work, you'll
> fall back to whatever mechanism you'd use to resolve the name, if the
> zone definition didn't exist at all. Generally speaking, "forward
> first" is an attempt (usually unsuccessful, in most environments) to
> improve query performance by utilizing a centralized cache.
>
> "Forward only", on the other hand, is "dependent", in the sense that
> your forwarders are the *only* thing that will allow you to resolve
> the name. If that doesn't work, the query fails completely. "Forward
> only" should be used, not solely as an attempt to enhance performance,
> but as a way to get around connectivity restrictions, e.g. firewalls
> or a restrictive routing regime.
>
> So, in a nutshell: "forward first" as an opportunistic attempt to
> improve performance, but you can still fall back to your regular
> resolution methods; "forward only" to get around blockages or
> connectivity restrictions.
Very well summarized. Thank you. What I was expecting it to work, but
verify; don't just trust.
>
> If all you want to do is run a private namespace, I wouldn't be
> fiddling around with forwarding at all. Set up your own root zone,
> propagate a private set of hints data, and be happy. I know that you
> once thrived in such a DNS environment :-)
Them were the days.
>
> - Kevin
>
> P.S. Insightful readers may have picked up from the above that I am
> not particularly fond of forwarding at all. In my experience,
> iterative resolution usually shows better performance, especially in
> geographically-diverse infrastructures with many subdomain levels
> (would I really want to forward through Italian nameservers to resolve
> names that I could resolve from nameservers in the same metro area,
> for the North American subdivision of one of our partners?). For that
> matter, I'm an even bigger fan of replicating zone data far and wide
> on stealth slaves -- give your users the maximum in performance and
> resiliency, and they'll be happier for it. In practical terms, one of
> the biggest issues I have about forwarding is that admins who go hog
> wild with it tend to get really lazy and sloppy about keeping their
> delegations and glue straight. Which means they create massive
> interoperability problems for anyone who doesn't want to play in their
> forwarding sandbox. Even though I eschew forwarding myself, I leave
> the option open for people to forward to my infrastructure
> *if*they*must*, but with all of the broken delegations/glue, I am not
> afforded the same opportunity to utilize my preferred resolution
> methodology. That seems a little selfish/one-sided.
My little network will do well as I am setting it up. Plus I can run my
HIP testing. I leave the world-wide mess to old hands like you.
More information about the bind-users
mailing list