Root server cannot be a forwarder?

Joseph S D Yao jsdy at center.osis.gov
Mon Oct 23 22:40:15 UTC 2006 

On Wed, Oct 18, 2006 at 09:43:51AM -0700, yinzhang57 at yahoo.com wrote:
> Heard that on a BIND root server, recursion is disabled and it will not
> do recursion, therefore cannot be a forwarder?


Good heavens, much more heat than light on this one!


BIND is software that implements DNS, and it is written to allow people
to configure it in quite a variety of different ways.

I should note that recursion and forwarding are two completely different
things.

A name server may be configured to be an authoritative server for the
root domain (".") or not - or to be so for some queries but not for
others.  It may be configured to be a recursive resolver or not, or only
for a certain set of queries.  It may be configured to forward certain
queries to certain other name servers, or all queries to certain other
name servers, or none, and differently for different sets of queries.
So we see that these three attributes:
	- authoritative server for the root domain (".")
	- can recursively resolve
	- can forward queries to other configured servers
are not only completely independent of each other, but also may be
independently adjusted depending on the queries.

But this is only the tool.  There is also policy to consider!

If we actually are talking about root name servers, which is exactly
what the above question asks, but which certain eminent and most worthy
personages contest, there is an RFC 2870 which describes root name
server operational requirements.  It falls into the set of RFCs also
called Best Current Practices (BCP 40).  Although it is not explicit
about which internet it is discussing, it is nearly certain that it is
intended for the public Internet.  Other internets may wish to choose
useful parts from it for their own root servers.

Among other things, this RFC advises:

   2.5 Servers MUST provide authoritative responses only from the zones
       they serve.  The servers MUST disable recursive lookup,
       forwarding, or any other function that may allow them to provide
       cached answers.  They also MUST NOT provide secondary service for
       any zones other than the root and root-servers.net zones.  These
       restrictions help prevent undue load on the root servers and
       reduce the chance of their caching incorrect data.

If this is in fact the type of thing about which you are asking, you may
wish to refer to this document at
<http://www.rfc-editor.org/rfc/rfc2870.txt> or one of the many other
places at which you will find this document.  Note that some of this is
dated, and may need explanation by people who are experienced with the
current way of DNS, such as Paul Vixie, Mark Andrews, Jim Reid, Barry
Margolin, Kevin Darcy, or several others who just weren't on the page I
happened to pull up.


-- 
Joe Yao
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.

More information about the bind-users mailing list