Force Clients to *always* use authoritative
Joseph S D Yao
jsdy at center.osis.gov
Mon Dec 18 21:09:46 UTC 2006
On Mon, Dec 18, 2006 at 12:38:08PM -0800, Karl R. Balsmeier wrote:
> Is there a specific way to set a name server so that clients are always
> *forced* to use an autoritative name server?
>
> UltraDNS and some others have mentioned little features they have, but
> it only hints at the possibility that somewhere in the DNS spec.
>
> -karlski
It is not clear what you mean. Information must always come from an
authoritative name server. But clients must go to their local resolving
name server first to get a recursive lookup to those authoritative name
servers.
Definitions:
An "authoritative name server" for a given zone is one that it says that
it has ALL the information for that zone. No authentication normally
performed, so it could be lying. There is no such thing as a PARTIALLY
authoritative name server, by the way - it's ALL or NOTHING. It may or
may not allow recursive resolution, but all security advice advises
against it.
A "resolving name server" is the one which your stub resolver client
queries, and which will turn around and do whatever series of recursive
and iterative lookups are needed to resolve your query. It is not
necessarily the same as your local domain's authoritative name server;
and in fact, things work more cleanly if it is NOT. But it often is,
unfortunately.
--
Joe Yao
-----------------------------------------------------------------------
This message is not an official statement of OSIS Center policies.
More information about the bind-users
mailing list