Rely on Recursive "De-forwarding" Behavior?

[Cricket Liu]

>             I have been experimenting with the "de-forwarding" feature
> of BIND 8.2, i.e. where you specify a null forwarders list for a given
> zone in order to override the global forwarding behavior. What I have
> noticed is that the "de-forwarding" specification seems to apply not
> only to a given zone, but to subzones as well. For example, if
> I deforward "bar.com", and then I happen to get some NS RR's in my cache
> for "foo.bar.com", which is not mentioned in my named.conf file, I'll
> still not forward for that zone, even though I now know it is a separate
> zone from its parent.
>
>     My question is: is this behavior intentional, or just accidental? We
> here at DaimlerChrysler are in the throes of a massive DNS integration
> and would not want to rely on behavior that may quietly disappear in a
> subsequent release. A purist argument could be made, I suppose, that
> deforwarding should only apply to a given zone, and not apply
> recursively. But the current recursive behavior seems more useful for
> us, since our zone hierarchies go fairly deep in places.

As far as I know, this behavior is intentional.  A forward "zone" is really
a forward "domain":  the forwarding behavior applies to all domain names
that end in the "zone's" domain name.  That makes sense, when you think
about it.  Before you know there are NS RRs for foo.bar.com, you have no way
to determine whether to forward a query for baz.foo.bar.com.  So what should
you do?  If, later, you learn the NS RRs, should you modify that behavior?

cricket

Acme Byte & Wire
cricket at acmebw.com
www.acmebw.com

Attend our next DNS and BIND class!  See
www.acmebw.com/training.htm for the
schedule and to register for upcoming
classes.