Exceptional handling of glue credibility - why?

Paul Vixie vixie at sa.vix.com
Sun Aug 1 16:25:32 UTC 2004 

Ladislav Vobr <lvobr at ies.etisalat.ae> writes:

> Why recent binds doesn't provide the glue credibility cache records out 
> of it's cache to the recursive clients? Why does it put such an 
> incredible headache to get an authoritative answer for the recursive 
> client at the moment the client asks, while before when it was fetching 
> the data through some other requests it really doesn't care which 
> credibility it is, just simply cache it.

many servers follow the early BIND4 behaviour of caching everything they
receive and telling everything they know.  they also include "out of zone
glue" as part of zone authority data.

historically and statistically, such data is quite often wrong.  and, the
combination of "stale out-of-zone glue" being handed out by authority
servers, and having it be aggressively/promiscuously shared and re-used,
led to a state of affairs where bad A RRs would cycle through the 'net
without end.

> This puts a big load on the server, and creates unexplainable 
> situations, when although the data are in the cache bind gets very busy 
> doing something nobody really needs and wants and expect.

it's a high load, but it's doing something that everybody actually does
need and should want and should expect.

> can any body shed some light on this and the logic behind it?

when i put this into BIND 4.9, my day job was what folks now call "sysadmin",
and this logic is what it took to get the decwrl.dec.com A RR to be edited
and published only by myself (zone admin for dec.com) and not by hundreds
of others (including typo's and inability to renumber.)

> One more question, why some binds treats exactly the same data different 
> way -(delegation ns and a records are sometimes in the answer section, 
> sometimes in the additional section, sometimes cached as glue, sometimes 
> as an answer, and some times the glue credibility is not provided to the 
> clients but answer credibility always is.... simple isn't it?)

i'd need to see specific examples before i could answer this.
-- 
Paul Vixie

More information about the bind-users mailing list