CNAMEs and non-recursive name servers
Roy Arends
Roy.Arends at nominum.com
Fri Mar 16 00:52:16 UTC 2001
On Thu, 15 Mar 2001, Simpson, John R wrote:
> Greetings,
>
> Our public name servers have recursion turned off for security and
> performance reasons.
Try
fetch-glue no
It will stop your server from caching glue data.
> Some of our customers have asked us to add CNAME records to their
> domains with right-hand-sides that are in external domains (a web
> server from a web-hosting service). These entries work fine on our
> internal, recursive name servers, but fail on the public,
> non-recursive name servers. Queries for the CNAME record type work
> fine on both.
>
> It seems pretty clear what's happening -- the lookup of the
> outside name is failing. This synchs with Cricket's book, "When a
> name server looks up a name and finds a CNAME record, it replaces the
> name with the canonical name and looks up the new name."
>
> Is this normal,
yes
> and if so, what are the preferred work arounds?
3 options.
1) Client does recursion itself.
or
2) Turn recursion on
or
3) Install some cache, to where the client can point it's resolvers.
> It'd be nice, at least for this specific problem, if it'd use the local
> resolver config which points to the internal name servers to resolve the
> outside name, but if that's not the standard behavior I'm sure it's for good
> reasons. I'm just looking for my options.
You can not put an A record in the zone (as a kind of glue) where the
CNAME points to, since this is out of zone data.
> Right now we're using an A record and the customer's systems are
> working fine.
Instead of the CNAME. Yep, thats a work-around.
> Using the CNAME would be nice for us because we wouldn't be caught in
> the middle when the web server's IP addresses change (we've got a lot
> of customers who use this hosting service). And the customer would be
> happier because "that's the way we've always done it."
The point is, someone has to do the recursion. Either the client, your
nameserver, or some inbetween cache server.
> We're running BIND 8.2.3 on Solaris 7, the name servers are
> ns01.reyrey.net and ns02.reyrey.net, and the test zone file below
> demonstrates the problem. The record for www.carsrus.reyrey.net
> demonstrates the problem. Test.carsrus.reyrey.net works fine, since
> gw.reyrey.net is in a zone where we're authoritative.
Yep, totally true.
Roy Arends
Nominum.com.
More information about the bind-users
mailing list