recursion yes/no?

Evan Hunt each at isc.org
Tue Jan 24 20:12:11 UTC 2023 

On Tue, Jan 24, 2023 at 04:48:34PM -0000, David Carvalho via bind-users wrote:
> Hello.
> 
> I hope someone could help to understand the following.
> 
> I have "my.domain.pt" and a master and slave server for the "my" part. I
> have been using "recursion yes" in both named.conf, as I want them to be
> both authoritative and cache for my clients.
> 
> Last week I migrated my slave DNS server to version 9.16 and only today,
> after having issues with the primary server migration, I realized that for
> most queries, my slave DNS does not answer the "ADDITIONAL SECTION" unless I
> specify "+norec" with the dig command.

You didn't mention what version you were upgrading from, but I guess 9.11,
because the default setting of "minimal-responses" was changed in 9.12. It
used to default to "no", but it now defaults to "no-auth-recursive". From
the ARM:

  minimal-responses takes one of four values:

   -  no: the server is as complete as possible when generating responses.
   -  yes: the server only adds records to the authority and additional
      sections when such records are required by the DNS protocol (for
      example, when returning delegations or negative responses). This
      provides the best server performance but may result in more client
      queries.
   -  no-auth: the server omits records from the authority section except
      when they are required, but it may still add records to the
      additional section.
   -  no-auth-recursive: the same as no-auth when recursion is requested
      in the query (RD=1), or the same as no if recursion is not requested.

   no-auth and no-auth-recursive are useful when answering stub
   clients, which usually ignore the authority section.
   no-auth-recursive is meant for use in mixed-mode servers that
   handle both authoritative and recursive queries.

So when recursion is requested in the query, the server omits the NS
records from the authority section, and if there's no NS records then
there won't need to be corresponding A or AAAA records in the additional
section.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list