cached rr not provided to recursive clients
Kevin Darcy
kcd at daimlerchrysler.com
Wed Mar 3 21:30:37 UTC 2004
Take a look at Section 5.4.1 ("Ranking Data") in RFC 2181.
- Kevin
Ladislav Vobr wrote:
>Thanks a lot Kevin for your time and information in your reply
>
>I was trying the get some reasoning behind this behavior, this is my
>nature - always ask why :-)? I agree with you recursive and
>non-recursive query can vary, and varies and it has it's good reasons as
>you said.
>
>There are around 4-5 different credit tags (authority, answer, glue,
>authanswer, additional) in named_dump.db. The behavior you explained is
>related to authanswer flag I assume, and other 4 are not considered as a
>valid answer to the recursive client, and bind prefers to time out,
>rather than to provide this type of cached data to recursive
>clients/servers, am I right?
>
>Does it mean bind will never provide any other cached rrs' then only the
>ones with the Cr tag=authanswer?
>
>This was my question, somehow to find out, when the bind really just
>answer purely from the cache.
>
>Ladislav
>
>Kevin Darcy wrote:
>
>
>>Ladislav Vobr wrote:
>>
>>
>>
>>
>>>I have noticed that bind 9.2.3, albeit having the rr's in the cache as a
>>>glue from parent, doesn't provide it to recursive clients, but only to
>>>nonrecursive (dig +norec), in case authoritative servers are down.
>>>
>>>Most probably bind is trying to verify with the authoritative servers,
>>>and without their reply it refuses to provided the data to but only to
>>>recursive clients.
>>>
>>>Can someone elaborate what are the conditions/verifications/checks
>>>required to provide recursive clients cached rrs'? What is the reasoning
>>>behind this behavior?
>>>
>>>This seems to be a topic of a minor interest, since I have raised
>>>several times without much success, but I think I am not the first guy
>>>who dumped the cache and see the rr data there, wondering why bind
>>>doesn't provide it. Are those non-responding authoritative nameservers
>>>considered lame? No, not for bind9 they are not lame since it doesn't
>>>log them in the lame.log...
>>>
>>>
>>>
>>Ladislav,
>>This behavior is the combined result of a) the distinction between
>>recursive and iterative resolution and b) the design principle of DNS
>>that answers to the same question should be as consistent as possible,
>>even in the face of failures in the system.
>>
>>When a DNS query is made recursively, it is essentially saying "do
>>everything you can to get me the answer to this question, because I'm
>>relying on you totally for the answer". Therefore the recursive resolver
>>tries to get the answer by asking the authoritative servers. If they are
>>down or unreachable, the query may time out, the client times out, life
>>goes on.
>>
>>When, on the other hand, a DNS query is made non-recursively, it
>>essentially says "give me the best information you have about this name
>>without recursing; if the response you give is incomplete or
>>untrustworthy, that's OK because I'll just use your information to get
>>the real data by myself". Therefore the recursive resolver gives out
>>referral/glue information if that's all it happens to have.
>>
>>Follow me so far? A recursive and a non-recursive query for the same
>>RRset may generate different results, depending on what the responding
>>resolver happens to have cached. This is normal and natural as the DNS
>>protocol is designed.
>>
>>Now, you seem to be implying that for a recursive query, the resolver
>>should first try to get the answer from the authoritative servers, but,
>>after a short timeout (shorter than the client's timeout!) it should
>>give up and return glue information instead, if it has any. But that
>>violates the consistency principle. It means that, in
>>intermittent-connectivity situations, the same recursive query could get
>>*different* answers -- sometimes glue, sometimes answers from the
>>authoritative servers -- even though the base DNS data has not changed
>>in any way. Such behavior would play havoc with any attempt to
>>troubleshoot such a problem, and as a whole makes the DNS infrastructure
>>seem unreliable.
>>
>>- Kevin
>>
>>
>>
>>
>>
>
>
>
>
>
>
>
More information about the bind-users
mailing list