Fake root with selective forwarding
Kevin Darcy
kcd at daimlerchrysler.com
Tue Aug 24 21:03:56 UTC 2004
William Stacey wrote:
>Sorry to be thick here, but just verifying:
>
>Assuming ForwardFirst and not root server.
>1) If any forwarders are add to slist, then would NS delegation records even
>be added to slist?
>
Not unless the forwarding fails.
>How about root hints?
>
No, root hints are only used for the "priming" (root NS) query that
named makes when it starts up. After that, it'll have cached root
information, and during the course of resolving queries, cached NS
records for subdomains below that. It'll use those cached entries.
AFAICT, the "safety belt" idea has been discarded, since there was too
much ambiguity between "safety belt" data and regular cached data. So
the nameserver "primes" instead, populates its cache, and therefore has
no need of a "safety belt" after that.
>2) If true, then for ForwardFirst: All forwarders are added to slist, any
>delegations NS are added, and all root-hints are added. So forwarders are
>tried first, then delegations, then hints in that order?
>
Forwarders first (as the name implies :-), then, if the forwarding
fails, it'll act as if the forwarding never existed, using either cached
referral information or authoritative data, depending on which is
closer, hierarchically speaking, to the name being looked up. If a
server has forward first for a.b.c.d.com, for instance, and forwarding
fails for a name in that domain, then even if that server is
authoritative for d.com, it would still use cached referral information
for b.c.d.com, if any, in preference to c.d.com delegation records,
since the cached information is closer to the target name. The "spirit"
of the resolver algorithm is to always get closer and closer to the
target name, i.e. "down" the hierarchy, until you get a definitive
answer or you can't go any further and have to give up. Generally
speaking, then, if you have "closer" referral information in memory,
you'd never go "above" that point in the hierarchy, and never to the
root except as a last resort. All of this logic, including the
forwarding enhancement, is contained within Step 2 ("Find the best
servers to ask") of the RFC 1034 algorithm.
>3) If no forwarders are added to slist (either not configured or set to
>"{}" ) then any delegations are added to slist if available and all
>root-hints are added and tried in that order?
>
Well, if forwarders are set to "{}", then presumably the zone is defined
as some type other than "type forward", e.g. stub, master, slave. In
which case it will have NS records for the zone itself (authoritative NS
records in the case of master or slave, non-authoritative NS records in
the case of stub), and won't need to rely on delegation records from an
ancestor domain.
- Kevin
More information about the bind-users
mailing list