Again: forwarders{} and delegation in zone behavior

Dmitry E Gouriev gouriev at icenet.ru
Thu Dec 22 00:31:07 UTC 2005 

Hello, Barry,
thank you for reply,

"Barry Margolin" <barmar at alum.mit.edu> ???????/???????? ? ????????
?????????: news:barmar-6B2269.15543321122005 at comcast.dca.giganews.com...
> In article <doa6a5$17e2$1 at sf1.isc.org>,
>  "Dmitry E Gouriev" <gouriev at icenet.ru> wrote:
>
> > Hello, here is a surprised newbie question.
> >
> > Thank you for explanations.
> >
> > We all understand that FORWARDING takes precedence
> > over USAGE OF DELEGATION RECORDS, unless
> > explicitely specified by empty forwarders{} in zone{},
> > missing global forwarders in options{}, etc.
> >
> > However we (at least I) do not understand WHY.
> > Ignoring known delegation records and querying
> > major servers is a preferred default behaviour ?
> >
> > Does anybody know is this actualy good way and
> > why it is better ?
>
> Forwarding is intended for when you can't communicate directly with
> Internet servers, e.g. you have a firewall that blocks DNS except
> to/from the forwarder.
>

Mmm... "Internet servers" ? You definitely mean root DNS servers.
Mmm... Is it good way that any query is passed directly to the top ?

I supposed, forwarding is also intended to communicate
with upstream caching DNS servers. This seems to be an
often circumstance, isnt it ?

And in this case it seems to be an appropriate strategy
to try to solve the problem locally first
querying nearest known source serveres using known RRs and
trouble upstream servers if and only if there are no appropriate RRs or
nearest servers unavailable.
The same without forwarding at all, when
the root servers are 'upstream' servers.
Isnt it ?

This way seems too natural to me :) that I can not understand
a reason of troubles for a long time, :) and then
began to look for similar cases and found multiple hints
and talks about 'global forwarding override' :)

> What are you using forwarding for that makes you think this is
> inappropriate design?

I use it in recursive server which is at a bottom of pyramide
of caching recursive servers.

My server is also authoritative source for a small number of zones.

Yes, I know that resolving server should not be combined with
authoritative server, but... this is not a case for small company
to run two separate DNS servers.

Also sometimes I create virtial zones under '.' and 'in-addr.arpa'
for team training purposes (say, 'aaa.' and '10.in-addr.arpa.').
These zones are not normally delegated, of course,
and I immediately receive a complete set of 'global forwarding' troubles.
Never saw any similar before BIND 8...

Yes, there is (now) well-know workaround,
but why the workaround is needed at all ?!

I guess that there are important circumstances in which
'forward only' and 'forward first' strategies are the best...
Can you please expain ? I still can not imagine. - I guess,
this is an influence of my very limited experience.

--
Also, a simple option like 'forward last' could increase
scalability (down as well as up) and fit anyone needs,
could not it ?

Regards,
Dmitry

More information about the bind-users mailing list