Root server cannot be a forwarder?

Fri Oct 20 11:41:54 UTC 2006

Kevin Darcy wrote:
> yinzhang57 at yahoo.com wrote:
> > Peter Dambier wrote:
> >
> >> yinzhang57 at yahoo.com wrote:
> >>
> >>> Heard that on a BIND root server, recursion is disabled and it will not
> >>> do recursion, therefore cannot be a forwarder?
> >>>
> >>>
> >> It depends on what you want to do.
> >>
> >> E.g. my own BIND 9.4.0b2 is my local resolver.
> >>
> >> I believe that domains I am authoritative for, cannot get cache poisoned.
> >> That is why I am slaving every important domain I can.
> >>
> >> It slaves the root too.
> >>
> >> Why?
> >>
> >> To prevent bogus queries like localhost, local, or 192.168... from
> >> escaping my network. I am authoritative for those domains.
> >>
> >> Some poor people on backwater domains have only a single nameserver.
> >> Sometimes those domains get lost. I have a local copy and I am
> >> authoritative. I need not even query for those domains.
> >>
> >> The root zone is just a very little domain compared to com, net or org.
> >> I never need to query the root-servers.
> >>
> >> I rarely need to axfr a zone. I never query those zones. So I spare
> >> them a lot of traffic.
> >>
> >> As the root is already loaded I very often drop one query level and
> >> my answers are faster.
> >>
> >> Zones I need are present locally. No query to the outside at all.
> >>
> >> But my server is not for the public. It serves locally only.
> >>
> >> If I was running a root-server for the public, I would run nothing
> >> but the root. I definitely would switch recursion off because I
> >> am not a resolver.
> >>
> >> Kind regards
> >> Peter and Karin Dambier
> >>
> >>
> >> --
> >> Peter and Karin Dambier
> >> Cesidian Root - Radice Cesidiana
> >> Von-Erthal-Strasse 4
> >> D-64646 Heppenheim
> >> +49(6252)671-788 (Telekom)
> >> +49(6252)750-308 (VoIP: sipgate.de)
> >> mail: peter at peter-dambier.de
> >> mail: peter at echnaton.serveftp.com
> >> http://iason.site.voila.fr/
> >> https://sourceforge.net/projects/iason/
> >> http://www.cesidianroot.com/
> >>
> >
> > Is a BIND root server by default disabled recursion, so cannot be a
> > forwarder?
> >
> Why do you think that a root nameserver acts fundamentally different
> than a non-root nameserver? In named.conf terms, a master or slave
> definition for the root zone is really no different than a master or
> slave definition for any other zone.
>
> So, again, the answer is: being a root nameserver does not cause BIND to
> disable recursion. If you want to turn off recursion, you need to do
> that explicitly.
> > A Windows root server by default disable to forward, to be a forwarding
> > server.  A BIND root server will still be able to act as a forwarding
> > server?
> >
> Yes it can act as a forwarding server, subject to the caveats I gave in
> my previous message, i.e. whatever it's forwarding must be either
> delegated from the root zone, or have an appropriate zone definition at
> a lower level of the namespace tree. A root server cannot be a "general"
> forwarder, i.e. forward whatever it can't find, because anything that
> doesn't fall into one of the two categories above will be considered to
> be in the root zone, and a root nameserver will answer definitively from
> the root zone, without forwarding. This is just a special case of the
> general rule that a BIND nameserver will never forward queries which are
> in a zone for which it is authoritative.
>
>
>                                  - Kevin

Thanks Kevin.

Just make sure I got thiscorrectly, it seems the conclusion is that a
root BIND server can serve as either a forwarding server or a
forwarder, for specific zones or zones in general. However, both the
roles will be subject to the zones that have been defined in the
namespace in which the server serves as the root.