Answers from cache or authority section?

John Horne john.horne at plymouth.ac.uk
Tue Jun 25 15:53:14 UTC 2013 

On Tue, 2013-06-25 at 10:46 -0400, Barry Margolin wrote:
>
> In addition, the authoritative answer may contain an Authority section. 
> These nameservers take precedence over the NS records from the 
> delegation -- the assumption is that the authoritative server knows its 
> domain's nameservers more reliably than the parent domain's servers.
> 
Ah. This is the bit I did not know.

Okay, so from a fresh cache the first reverse lookup will work its way
down from the root and provide an authoritative answer. The AUTHORITY
section NS records are cached. So for any subsequent reverse lookup (for
a different IP address) the resolver will use the cached name servers.
In our case these are internal and would give a timeout.

So what I now do not understand is why (at home) I can do several
reverse lookups for different IP addresses, and they all give me an
answer. Likewise if I do something like:

   dig -x 141.163.99.16 @8.8.8.8

I get a non-authoritative answer. If I repeat this for addresses
141.163.99.17, 18, 20 and so on I get answers. In all these cases
shouldn't the first lookup work and subsequent ones fail? Using Google's
name server, shouldn't it at some point have received the authoritative
answer with the AUTHORITY section NS records and so be using those
(internal) name servers for subsequent lookups?


> That seems to be where your problem is -- the NS records you're handing 
> out are not appropriate for public consumption. But they replace the NS 
> records coming from the delegation. You MUST fix this. Configuring views 
> would be a solution:
>
Unfortunately the internal servers are MS Windows name servers and they
are the masters for our reverse zone. The two secondary servers
'dns0.plymouth.ac.uk' and 'dns1.plymouth.ac.uk' are Linux servers and
are to be added to the list of authoritative NS records. This should be
a short-term solution to our problem with the external company, but I
have already stressed to management that this is not a long term
solution and that the internal servers should be just that - internal.
Ideal would be moving the reverse zone onto the Internet-facing Linux
servers. However, there is a whole load of muttering that Microsoft and
AD won't like that; it's all integrated with each other; running the DNS
zone on Linux servers will be a problem with the MS servers etc etc.





John.

-- 
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287    Fax: +44 (0)1752 587001

More information about the bind-users mailing list