so many "denied recursion for query from" messages for CNAME domain,why?
Kevin Darcy
kcd at chrysler.com
Tue Oct 7 01:22:09 UTC 2008
MontyRee wrote:
> Hello, all.
>
>
> I have operated bind 8.x for authorative for some domain.
> the domain is CNAME like this at that dns server
>
>
> www.test.example.com IN CNAME www.xyz.test.example.com.
> www.xyz.test.example.com. IN A 192.168.151.234
>
>
> But I can see lots of messages like below(about 3~5% of the total query)
>
>
> Oct 6 19:40:26 ns named[29298]: denied recursion for query from [121.xx.xx.x].33244 for www.test.example.com IN
>
>
> and when I test using dig, above "denied recursion for query from " messages occur
> only that doesn't answer using A record(only CNAME)
>
>
> a)
> www.test.example.com IN CNAME www.xyz.test.example.com.
> www.xyz.test.example.com. IN A 192.168.151.234
>
>
> b)
> www.test.example.com IN CNAME www.xyz.test.example.com.
>
>
> I would like to know when the dns answers a(95%) or b(5%)?
>
If www.xyz.test.example.com happens to be in cache, then no recursion is
necessary to fetch it. So your "allow-recursion" statements don't
prevent the full answer from being returned.
If www.xyz.test.example.com is not in cache, then recursion would be
necessary to fetch the answer. If your allow-recursion settings don't
allow the client to recurse, then only the CNAME is returned, and you
get the error in your logs.
Note that later versions of BIND 9 -- which you should be running anyway
because BIND 8 is end-of-life -- have finer-grained control over client
access to cached data. See "allow-query-cache".
> and the client get an answer b), what would be happen?
> is there any problem or not?
>
If it's a "stub resolver" doing the asking, then if it gets the
CNAME-only answer, that will effectively be considered a query failure.
Generally, only "leaf node" devices run stub resolvers (e.g. desktop,
laptop or mobile end-user computers, or perhaps some very-low-end
servers that are considered too weak to run their own local caching
resolvers).
If it's a full resolver asking your authoritative server about the name,
then it should be smart enough to take the CNAME and continue resolution
from that point.
- Kevin
More information about the bind-users
mailing list