'dig -t any ...' question
Ladislav Vobr
lvobr at ies.etisalat.ae
Tue Jun 15 04:00:49 UTC 2004
> I did notice a change related to that when we upgraded our caching
> servers from BIND 8 to 9. Prior to that, if I asked for the A record of
> a nameserver, I would often get the address from the glue in the parent
> zone. After the upgrade, it seemed to go to the authoritative server
> for this -- if all of the zone's servers were down, the query would hang
> and eventually return a SERVFAIL error. The only way to get the cached
> glue record was to query without the RD flag set.
>
barry, the change is there between 8.3.4 and 8.4.1, 8.4.1 returns is the
same way as 9 and higher, 8.3.4 returns it as a *answer*, I think this
will be very important to distinguish once it comes to dnssec. What is
glue and what is not, since the glue is not signed.
> However, I think ANY queries would still return whatever happened to be
> in the cache, no matter how it was learned.
if it is cached with *glue* credibility it will not return it to ra
clients. This behavious as you describe is nightmare, it keeps retrying
to all nameservers if all unreachable causing incredible traffic to
remote servers and the network as well, I am sometimes seeing
nameservers querying me with 1000(one thousand)req/s with the same
request, this can really spoil lot's of things, why would ever caching
nameserver has to do such a thing, does it really help to do it this
way....?
how can we say it is perfectly fine to answer the recursive client with
non-authoritative data, when nothing was cached before this request? I
feel recursion means, if it is not available, recurse up to the source
(auth servers) and get it, not from . or 2ndlevel or 3level or 4level,
we can not stop randomly somelevel just because some binds think it was
enough steps(parent 8.3.4 thinks it is enough, parent 8.4.1 thinks try
to go to next level... it seems really very consistent:-), we always
should go up to the source *provided it was not cached before*. How will
this work in dnssec, we just answer to ra client with *glue* and tell
him be happy for it:-)?
Ladislav
More information about the bind-users
mailing list