Delegation and recursion

[Barry Margolin]

In article <mailman.1436.1273404685.21153.bind-users at lists.isc.org>,
 Angela Perez <perez.angela7 at googlemail.com> wrote:

> Hi,
> 
> I'm just writing to confirm that I have the correct understanding of
> the relationship between delegation and recursion.
> 
> A bit of background: I'm responsible for an Internet-facing server
> that has the following requirements. It should support recursion for
> known (DMZ) clients and it should not support recursion for unknown
> clients. It should also delegate subdomains to other name servers in
> the organisation, for both known and unknown clients.
> 
> The issue is that if recursion is not allowed for external clients,
> delegation breaks (i.e. results in "No answer" from nslookup which I
> believe is a referral). Which kinda makes sense, if a query that is
> delegated to another nameserver is classified as recursive rather than
> iterative.

Queries are not "classified as recursive".  They're recursive if the the 
"Recursion desired" flag is set in the query.  Normally, this flag is 
only sent in queries sent by a stub resolver to its configured 
nameservers, or by nameservers to configured forwarders.

> The question is, what is the preferred solution to this situation i.e.
> an external facing nameserver that should not provide recursion but
> delegate some of its subdomains to other nameservers that are
> authoritative for them [subdomains].
> 
> A workaround is to set up the external nameserver as a slave for the
> subdomains but is there any better solution?

This shouldn't be necessary.  When the client nameserver gets the 
referral, it should resend the query to the subdomain's nameserver.

Is the subdomain nameserver accessible from the Internet?

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***