Recursion off\forward

Kevin Darcy kcd at daimlerchrysler.com
Tue Nov 21 20:29:46 UTC 2006 

1. Resolver sends a query gets only a CNAME in the response
2. Resolver looks up the target of the CNAME and it resolves to an A record

Sure, it's more *convenient* to get the A record in the first step. But 
any fully-featured (= iterative) resolver should be able to get the A 
record "the hard way" if it needs to.

Perhaps you don't understand that a real resolver follows a whole 
*algorithm* for resolving names, which might involve several different 
lookups. A lookup tool like dig or nslookup, however, in the absence of 
any special configuration, options, etc. just does individual lookups so 
it may only be showing you *part* of the overall resolution process, a 
piece of the puzzle, as it were. You could try the +trace option to dig, 
if you want to see something more like a full DNS-resolution sequence.

- Kevin

Nick Allum wrote:
> Would someone be able to explain what "An iterative resolver has to be
> able to deal with such responses" would mean. 
>
> What I am trying to do is turn off recusrion, so I just have an
> advertising dns server for my domains, however some of my CNAME records
> point to some external domains which are not resolving once I set
> recursion off. I am running bind 9.2.4
>
> Thanks
> Nick
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Chris Thompson
> Sent: Wednesday, November 15, 2006 2:01 PM
> To: Bind Users Mailing List
> Subject: RE: Recursion off\forward
>
>
> On Nov 15 2006, Nick Allum wrote:
>
>   
>> I had another question within regarding "recursion off"
>>
>> If you have recursion off and you have a CNAME that point to some non 
>> authorative domain/A Record you get a negative response.
>>     
>
> You get a response with the answer section containing the CNAME but not
> the 
> A record, and an rcode of zero. I wouldn't call that "a negative
> response". An iterative resolver has to be able to deal with such
> responses.
>
>   
>> Is there a way to work around this. Senario My server is the authority 
>> for abcd.com and withing the abcd.com record I have the following
>>
>> Test	IN	CNAME		hdshsh.frdskfjh.com 
>>
>> For which "frdskfjh.com" I am not the authority for so when I try to 
>> lookup test.abdc.com I get a negative response. Is there a way to work 
>> around this other than using the IP vs CNAME.
>>     
>
> It seems to me that you are still asking for "recursion sometimes"
> rather than "recursion no".
>
>

More information about the bind-users mailing list