Problem with allow-query-cache and additional-from-cache?

Thu Jul 17 04:10:41 UTC 2008

Peter Collinson wrote:
> I've compiled and installed
> bind-9.5.0-28.P1.fc8.src.rpm
> on a couple machines running old Fedoras. I use these machines as  
> secondary
> nameservers - well their primary task is to do something else, and I  
> am just
> using their named to secondary my main name server.
>
> The named.conf looks like:
>
> options {
> 	....
>        allow-query  { any; };
>        allow-recursion { trusted; };
>        allow-transfer  { trusted; };
>        allow-query-cache { trusted; };
> 	.....
>        additional-from-cache yes;
> };
>
> I've added the additional-from-cache here to show that it's on by  
> default.
>
> I am getting  at lot of log lines like...
>
> ...............query (cache) 'externaldomain.co.uk/A/IN' denied
>
> which are triggered by MX records in a domain for which I am  
> authoritative, .i.e
> authoritativedomain.co.uk contains:
>
> @	IN MX 10 externaldomain.co.uk
>
> I notice that from 'outside' the named is no longer returning A  
> records for
> externaldomain.co.uk when I lookup authoritativedomain.co.uk with an  
> MX lookup.
> I can trigger the error by doing an MX lookup for  
> authoritativedomain.co.uk
> from elsewhere. So it looks as additional-from-cache is not working
> the way I would expect.
>
> My reading from the documentation is that I should expect to be  
> returning the A
> records from my cache for external domains referenced in MX records when
> additional-from-cache is 'yes'.
>
> So - question 1 - should I be worried about this? Will all external  
> machines
> take the rejection and perform their own lookup of the domains - and  
> the fix
> is to stop logging and worrying about this?
>
> and - question 2 - is this a bug - is my expectation correct - is
> additional-from-cache broken?
>
> and - question 3 - if I need to be worried, what can I do about it? It  
> seems
> that pointing the MX record at name in the authoritative.co.uk domain  
> and
> using CNAME to point to the real machine doesn't help. I guess I can  
> replace
> the machine names in the MX records by IP addresses, but this seems to  
> defeat
> the purpose of using names in the first place.
>
>   
Additional-from-cache doesn't *override* the security setting of 
allow-query-cache. For clients that are not in the "trusted" range, 
named will _try_ to provide the Additional Section A records, but 
allow-query-cache will block it. Hence the messages in the logs.

What the clients will get is a response with MX records in the Answer 
Section, but no associated A records in the Additional Section. They 
should have no problem looking up the A records, though.

If you really wanted to be nice and provide those A records in your 
responses, then you'd have to become authoritative for 
externaldomain.co.uk (i.e. slave it), so that the records aren't coming 
from cache any more.

- Kevin