CNAMEs and non-recursive name servers

Roy Arends Roy.Arends at nominum.com
Fri Mar 16 00:52:16 UTC 2001 

On Thu, 15 Mar 2001, Simpson, John R wrote:

> Greetings,
> 
> 	Our public name servers have recursion turned off for security and
> performance reasons.  

Try
   fetch-glue no
It will stop your server from caching glue data.

> Some of our customers have asked us to add CNAME records to their
> domains with right-hand-sides that are in external domains (a web
> server from a web-hosting service).  These entries work fine on our
> internal, recursive name servers, but fail on the public,
> non-recursive name servers.  Queries for the CNAME record type work
> fine on both.
> 
> 	It seems pretty clear what's happening -- the lookup of the
> outside name is failing.  This synchs with Cricket's book, "When a
> name server looks up a name and finds a CNAME record, it replaces the
> name with the canonical name and looks up the new name."
> 
> 	Is this normal,

yes

> and if so, what are the preferred work arounds?

3 options.

1) Client does recursion itself.

 or
 
2) Turn recursion on

 or

3) Install some cache, to where the client can point it's resolvers.

> It'd be nice, at least for this specific problem, if it'd use the local
> resolver config which points to the internal name servers to resolve the
> outside name, but if that's not the standard behavior I'm sure it's for good
> reasons.  I'm just looking for my options.

You can not put an A record in the zone (as a kind of glue) where the
CNAME points to, since this is out of zone data. 

> 	Right now we're using an A record and the customer's systems are
> working fine.  

Instead of the CNAME. Yep, thats a work-around.


> Using the CNAME would be nice for us because we wouldn't be caught in
> the middle when the web server's IP addresses change (we've got a lot
> of customers who use this hosting service).  And the customer would be
> happier because "that's the way we've always done it."

The point is, someone has to do the recursion. Either the client, your
nameserver, or some inbetween cache server.

> 	We're running BIND 8.2.3 on Solaris 7, the name servers are
> ns01.reyrey.net and ns02.reyrey.net, and the test zone file below
> demonstrates the problem.   The record for www.carsrus.reyrey.net
> demonstrates the problem.  Test.carsrus.reyrey.net works fine, since
> gw.reyrey.net is in a zone where we're authoritative.

Yep, totally true.

Roy Arends
Nominum.com.

More information about the bind-users mailing list