[sf-lug] pdns-recursor

Rick Moen rick at linuxmafia.com
Sun May 16 14:50:55 PDT 2010


Quoting Alex Kleider (a_kleider at yahoo.com):

> 
> A bit more clarification please: 
> 
> dns queries can be iterative ('polite') or recursive ('demand' a definitive answer vs just a referral.) Assuming the foregoing to be correct, what exactly is ment by a "recursive dns server?"

A recursive DNS server is one that honours the intended meaning of the
'recursion desired' (RD) bit, when that bit is set on an arriving query.

The RD bit means 'I, the system originating this query, would like you,
the nameserver receiving it, to follow delegation chains on my behalf as
far as necessary, and respond only when you have the ultimate answer,
rather than just an intermediate one.'

A query that has the RD bit UNset is dubbed an iterative query.

A functional definition of 'recursive DNS server' thus might be 'any DNS
nameserver to which you send a query with the RD bit, and for which the
server doesn't already have the ultimate answer in cache, which
thereupon comes back with the desired answer after pursuing the
delegation chain'.


> From what I've read, the implication is that a 'recursive server'
> (e.g. unbound) is a name server that is willing to _accept_ recursive
> requests but itself uses _iteration_ (so in that sense is
> 'iterative') to get the answer to the recursive request. 

No, that is not right.

Let's say you asked for resolution of uncle-enzo.linuxmafia.com using a
query with the RD bit set.  Let's suppose your query goes to a
nameserver that is unwilling/unable to do recursion, ie., that is an
iterative server.  Also, let's suppose the nameserver has a depleted
cache (because, e.g., it's just been fired up).

Put in English-language terms, your conversation would go like this:

Q:  What is uncle-enzo.linuxmafia.com?  [Query would have the RD bit set.]
A:  I don't know.   [Answer would have the 'recursion available' = RA
    bit UNset.]

Q:  OK, then can you get the root nameservers? 
A:  Sure:  [list of 13 nameservers including a.root-servers.net]

Q:  OK, then can you get from that set the nameservers for .com ?
A:  Sure:  [list of 13 nameservers including a.gtld-servers.net]

Q:  OK, then can you get from that set the nameservers for linuxmafia.com?
A:  Sure:  [list of 5 nameservers including ns1.linuxmafia.com]

Q:  OK, can you ask ns1.linuxmafia.com what uncle-enzo.linuxmafia.com is?
A:  198.144.195.186


The same conversion with a recursive nameserver is shorter:

Q:  What is uncle-enzo.linuxmafia.com?  [Query would have the RD bit set.]
A:  198.144.195.186  [Answer would have the RA bit set.]



If you direct that same query at a machine doing authoritative DNS only,
and you're asking about _anything other than_ the domains it's publishing
authoritative DNS for, then you get a whole lot of no information.

Q:  What is uncle-enzo.linuxmafia.com?  [Query would have the RD bit set.]
A:  I don't know that. [Answer would have the RA bit UNset.]

Q:  OK, then can you get the root nameservers?
A:  I don't know that.  [Answer would have the RA bit UNset.]


Here's an example of the latter.  First, I find out which three
nameservers Bank of America uses for its own bankofamerica.com domain. 
For security and performance reasons, those three authoritative servers
answer _only_ queries about the domain for which it's authoritative.  
Notice the 'I don't know that' answer I get when I ask one of them about
uncle-enzo.linuxmafia.com:


$ dig -t ns bankofamerica.com +short
ns1.bankofamerica.com.
ns3.bankofamerica.com.
ns4.bankofamerica.com.

$ dig uncle-enzo.linuxmafia.com @ns1.bankofamerica.com.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38605
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; AUTHORITY SECTION:
.                       3600000 IN      NS      H.ROOT-SERVERS.NET.
.                       3600000 IN      NS      F.ROOT-SERVERS.NET.
.                       3600000 IN      NS      G.ROOT-SERVERS.NET.
.                       3600000 IN      NS      I.ROOT-SERVERS.NET.
.                       3600000 IN      NS      M.ROOT-SERVERS.NET.
.                       3600000 IN      NS      L.ROOT-SERVERS.NET.
.                       3600000 IN      NS      C.ROOT-SERVERS.NET.
.                       3600000 IN      NS      J.ROOT-SERVERS.NET.
.                       3600000 IN      NS      E.ROOT-SERVERS.NET.
.                       3600000 IN      NS      B.ROOT-SERVERS.NET.
.                       3600000 IN      NS      D.ROOT-SERVERS.NET.
.                       3600000 IN      NS      A.ROOT-SERVERS.NET.
.                       3600000 IN      NS      K.ROOT-SERVERS.NET.
$





More information about the sf-lug mailing list