about recursion and NS RR
Kevin Darcy
kcd at daimlerchrysler.com
Wed Jan 4 22:59:56 UTC 2006
It's not an error. It's the hierarchical way that DNS works. You asked
the parent server about a child zone, for which it didn't happen to be
master or slave, so it answered, basically, "here's how to get the
answer from the child zone's nameservers". It's called a referral. An
iterative resolver knows to then follow that referral and ask the child
zone's nameservers the same question. A given query can cause multiple
levels of referrals, and that's why iterative resolution is more
resource-intensive than recursive resolution (in the latter case, you
just send the query and expect that resolver to do all of the work for
you). A typical end-user device, e.g. a Wintel PC, relies on recursive
resolution, so you should never turn off recursion on a nameserver that
is serving such clients, unless your nameserver is authoritative for
*all* zones containing *all* of the names that the client could
potentially want to look up. Recursion is usually turned off only on
nameservers whose sole function is to serve DNS data to iterative
resolvers, e.g. delegated nameservers on the Internet.
The confusing part here is that the same record type -- NS -- is used
both for delegating child zones from parent zones, and also to publish
the nameservers for a given zone; the so-called "apex" NS records, which
actually take precedence over delegating NS records if the two sets are
found to differ. There have been proposals in the past to separate these
record types, but apparently most of the DNS community is accustomed to
dealing with NS having different meanings in different contexts, so
there doesn't seem to be a lot of incentive to change things.
- Kevin
Diego Woitasen wrote:
>The escenario is:
>i have one master DNS server for mil.ar zone, with the following
>entries:
>
>ns1.ara IN A 200.80.200.12
>ara IN NS ns1.ara.mil.ar.
> IN NS dibas15.diba.org.ar.
>
>and "recursion no" in named.conf.
>
>When i try to do a query with host from other machine i get an error. If
>a change to "recursion yes" works.
>
>diegows at proxy-sat:~$ host -v -t ns ara.mil.ar 200.16.98.2
>Server: athea.ar
>Address: 200.16.98.2
>
>Query about ara.mil.ar for record types NS
>Trying ara.mil.ar ...
>Query failed, 0 answers, status: no error
>Authority information:
>ara.mil.ar 14400 IN NS ns1.ara.mil.ar
>ara.mil.ar 14400 IN NS dibas15.diba.org.ar
>Additional information:
>ns1.ara.mil.ar 14400 IN A 200.80.200.12
>ara.mil.ar NS record currently not present at athea.ar
>diegows at proxy-sat:~$
>
>Why bind provide an error if it have the information requested? The NS
>record are in the server. Bind doesn't not considers itself as
>authoritive of NS records of delegated domains?
>
>And other question, what is the diferrence between Anwer, Authoritative
>and Additional RR in replys?
>
>thanks...
>
>
>
>
More information about the bind-users
mailing list