allow-recursion + FreeBSD + bind 8.2.2patch7
Kevin Darcy
kcd at daimlerchrysler.com
Thu Dec 7 00:20:15 UTC 2000
It is normal for a nameserver to answer from cached information, even if it
is not honoring recursion for the client because of an
"allow-recursion" restriction. I interpret your post to mean that you ran
exactly the same series of queries (two consecutive A record queries for the
same) with the same timing, to 4 different identically-configured BIND 8
nameservers and received different results. I have no ready explanation for
that. Assuming that your testing method is as I have described it, then all
4 servers should have answered the second query from cache. Are you sure the
timing was the same for each test? If the TTL (time-to-live) setting on the
record was small, then possibly it might have expired from cache in between
queries.
If you really want to dig deeper into this, try dumping the nameserver's
databases after the first query (using "ndc dumpdb" or an INT signal to the
named process) and verifying that there is a cache entry, and what its
TTL is. If all of the servers have a cache entry with a reasonably-long TTL,
then I can't imagine why any of them *wouldn't* answer from their cache. You
should probably also scan the logs just to make sure that nothing unusual
was occurring at the time.
- Kevin
Micke Johansson wrote:
> Hi!
>
> I have notice a litte strange behavior with FreeBSD + Bind 8.2.2patch7 (
> same thing with p5 ) and the "allow-recursion" fuction.
>
> Example :
>
> TestServer1 running FreeBSD 3.3-stable
> TestServer2 running FreeBSD 3.5-stable
> TestServer3 running BSD/OS 4.1
> TestServer4 running Linux
>
> All running bind 8.2.2patch7 with the same config files, and just started
> so nothing is really been cached yet.
>
> When from a host that isnt allowed to ask a recursive query , query for
> example www.foo.bar i only get the NS for the root server ( which is
> correct )
>
> Then asking about www.foo.bar from a allowed host will return in a A
> record ( or whatever )
>
> And now the diffrens in the behavior comes :
>
> When again asking from the host that isnt allowed on :
>
> TestServer1 and TestServer2 will answer with the A record ( or whatever )
> that it now have cached. (not correct behavior(?))
>
> TestServer3 and TestServer4 will only answer with the root nameservers
> (correct behavior(?))
>
> Anyone got a clue on why Bind under FreeBSD acts this way? and are there
> any other OS=B4s that has the same behavior.
More information about the bind-users
mailing list