about recursion and NS RR

Kevin Darcy kcd at daimlerchrysler.com
Wed Jan 4 22:59:56 UTC 2006 

It's not an error. It's the hierarchical way that DNS works. You asked 
the parent server about a child zone, for which it didn't happen to be 
master or slave, so it answered, basically, "here's how to get the 
answer from the child zone's nameservers". It's called a referral. An 
iterative resolver knows to then follow that referral and ask the child 
zone's nameservers the same question. A given query can cause multiple 
levels of referrals, and that's why iterative resolution is more 
resource-intensive than recursive resolution (in the latter case, you 
just send the query and expect that resolver to do all of the work for 
you). A typical end-user device, e.g. a Wintel PC, relies on recursive 
resolution, so you should never turn off recursion on a nameserver that 
is serving such clients, unless your nameserver is authoritative for 
*all* zones containing *all* of the names that the client could 
potentially want to look up. Recursion is usually turned off only on 
nameservers whose sole function is to serve DNS data to iterative 
resolvers, e.g. delegated nameservers on the Internet.

The confusing part here is that the same record type -- NS -- is used 
both for delegating child zones from parent zones, and also to publish 
the nameservers for a given zone; the so-called "apex" NS records, which 
actually take precedence over delegating NS records if the two sets are 
found to differ. There have been proposals in the past to separate these 
record types, but apparently most of the DNS community is accustomed to 
dealing with NS having different meanings in different contexts, so 
there doesn't seem to be a lot of incentive to change things.

                                                                         
                                 - Kevin

Diego Woitasen wrote:

>The escenario is:
>i have one master DNS server for mil.ar zone, with the following
>entries:
>
>ns1.ara IN      A       200.80.200.12
>ara     IN      NS      ns1.ara.mil.ar.
>        IN      NS      dibas15.diba.org.ar.
>
>and "recursion no" in named.conf.
>
>When i try to do a query with host from other machine i get an error. If
>a change to "recursion yes" works.
>
>diegows at proxy-sat:~$ host -v -t ns ara.mil.ar 200.16.98.2
>Server: athea.ar
>Address: 200.16.98.2
>
>Query about ara.mil.ar for record types NS
>Trying ara.mil.ar ...
>Query failed, 0 answers, status: no error
>Authority information:
>ara.mil.ar              14400   IN      NS      ns1.ara.mil.ar
>ara.mil.ar              14400   IN      NS      dibas15.diba.org.ar
>Additional information:
>ns1.ara.mil.ar          14400   IN      A       200.80.200.12
>ara.mil.ar NS record currently not present at athea.ar
>diegows at proxy-sat:~$  
>
>Why bind provide an error if it have the information requested? The NS
>record are in the server. Bind doesn't not considers itself as
>authoritive of NS records of delegated domains?
>
>And other question, what is the diferrence between Anwer, Authoritative
>and Additional RR in replys?
>
>thanks...
>
>
>  
>

More information about the bind-users mailing list