Lump answers

Mon Nov 29 04:58:06 UTC 1999

> > But internal root name servers, which are what Christine is
> > describing, only know about a small number of apex zones.
> > If you ask an internal root name server about a zone whose
> > ancestor doesn't appear in the root zone, you get NXDOMAIN.
>
> My answer is still correct.

Sure it is, but I think it's misleading to imply that an internal
root name server "works" with forwarding.  Let's look at a
simple configuration:

options { directory "/var/named";
    forwarders { some.internet.forwarder; };
    forward only;
};

zone "." {
    type master;
    file "db.root";
};

and in db.root:

@    IN    SOA    ...
        IN    NS    me.acmebw.com.

acmebw.com.    IN    NS    ns1.acmebw.com.
acmebw.com.    IN    NS    ns2.acmebw.com.

(and glue, of course).

Far too many people expect this internal root name
server to forward a recursive query for, say, cnn.com
to the forwarder.  It doesn't, for reasons that I
believe we've clarified.  In fact, it'll only forward
queries for names in acmebw.com, which is
counterintuitive for many people.

> > > > >     Before 8.2.2,you will see in syslog: info: No root nameservers
> > > > > for class IN
> > > >
> > > > No, you won't see this in a correctly configured internal root
setup.
> > >
> > >  Christine is correct.
> >
> > No, she's not.  In 2, she's describing an internal root setup,
> > and a correctly configured internal root name server will
> > not log that error message.  It *is* a root name server, so
> > why should it?
>
> The error message was generated by attempting to prime the nameserver.
> When a nameserver is priming it ignores the hashtab (where the root
> zone is loaded) and only looks in fcachetab (where the hints are
> loaded).  On a rootserver fcachetab is empty, as result the above
> error message is generated.

I beg your pardon, then!  But I don't remember this from my
old BIND 4 root name servers.  Was this bug introduced in
BIND 8?

> > >  715.   [clarity]       root servers don't need to be primed.
> > >
> > > > >     b) forget the hint file all together
> > > > >     Result:  nothing works.  syslog will complain: findns: No root
> > > > nameservers
> > > > >     for class IN?  This is not the same as the info message in
case 2.
> > > > Case 2
> > > > >     applies to root servers only.  You definitely need a hint
file,
> > but
> > > > what
> > > > >     goes in it?  Read on.
> > > >
> > > > This isn't true.  Forward-only name servers have always been able
> > > > to run without a root hints file, and in newer verisons of BIND,
> > > > you don't even see an error message in this configuration.
> > >
> > > "Forward only" only works correctly as of BIND 8.2.1.
> > > Prior to BIND 8.2 the hints file is required and should be
> > > configured with the root servers.  With BIND 8.2 don't even
> > > attempt "forward only".
> >
> > Forward only worked in previous versions of BIND, too (BIND 4,
> > for example).  Even though it would produce an error message,
> > the name server would work correctly.
>
> Forward-only *partially* worked in BIND 4 and required a cache zone or
> a root stub zone to be present.  The error messages indicate times when
> it should have been able to proceed but couldn't due to the fact that
> it hadn't primed the cache.

Under what conditions did it fail?  I've always recommended
including a root hints file on a forward only name server
just to keep BIND quiet, but I'm interested to know exactly
what goes wrong if you don't, since I've never spotted it.

cricket

Acme Byte & Wire
cricket at acmebw.com
www.acmebw.com

Attend the next Internet Software Consortium/Acme Byte & Wire
DNS and BIND class!  See www.acmebw.com/training.htm for
the schedule and to register for upcoming classes.