[sf-lug] pdns-recursor

Alex Kleider a_kleider at yahoo.com
Sun May 16 15:19:59 PDT 2010 

Once again: thank you, Rick.
I thought I had it all figured out and almost didn't post the question; ..glad I did. 
cheers, alex


--- On Sun, 5/16/10, Rick Moen <rick at linuxmafia.com> wrote:

> From: Rick Moen <rick at linuxmafia.com>
> Subject: Re: [sf-lug] pdns-recursor
> To: "Linux userGroup" <sf-lug at linuxmafia.com>
> Date: Sunday, May 16, 2010, 2:50 PM
> Quoting Alex Kleider (a_kleider at yahoo.com):
> 
> > 
> > A bit more clarification please: 
> > 
> > dns queries can be iterative ('polite') or recursive
> ('demand' a definitive answer vs just a referral.) Assuming
> the foregoing to be correct, what exactly is ment by a
> "recursive dns server?"
> 
> A recursive DNS server is one that honours the intended
> meaning of the
> 'recursion desired' (RD) bit, when that bit is set on an
> arriving query.
> 
> The RD bit means 'I, the system originating this query,
> would like you,
> the nameserver receiving it, to follow delegation chains on
> my behalf as
> far as necessary, and respond only when you have the
> ultimate answer,
> rather than just an intermediate one.'
> 
> A query that has the RD bit UNset is dubbed an iterative
> query.
> 
> A functional definition of 'recursive DNS server' thus
> might be 'any DNS
> nameserver to which you send a query with the RD bit, and
> for which the
> server doesn't already have the ultimate answer in cache,
> which
> thereupon comes back with the desired answer after pursuing
> the
> delegation chain'.
> 
> 
> > From what I've read, the implication is that a
> 'recursive server'
> > (e.g. unbound) is a name server that is willing to
> _accept_ recursive
> > requests but itself uses _iteration_ (so in that sense
> is
> > 'iterative') to get the answer to the recursive
> request. 
> 
> No, that is not right.
> 
> Let's say you asked for resolution of
> uncle-enzo.linuxmafia.com using a
> query with the RD bit set.  Let's suppose your query
> goes to a
> nameserver that is unwilling/unable to do recursion, ie.,
> that is an
> iterative server.  Also, let's suppose the nameserver
> has a depleted
> cache (because, e.g., it's just been fired up).
> 
> Put in English-language terms, your conversation would go
> like this:
> 
> Q:  What is uncle-enzo.linuxmafia.com?  [Query
> would have the RD bit set.]
> A:  I don't know.   [Answer would have
> the 'recursion available' = RA
>     bit UNset.]
> 
> Q:  OK, then can you get the root nameservers? 
> A:  Sure:  [list of 13 nameservers including
> a.root-servers.net]
> 
> Q:  OK, then can you get from that set the nameservers
> for .com ?
> A:  Sure:  [list of 13 nameservers including
> a.gtld-servers.net]
> 
> Q:  OK, then can you get from that set the nameservers
> for linuxmafia.com?
> A:  Sure:  [list of 5 nameservers including
> ns1.linuxmafia.com]
> 
> Q:  OK, can you ask ns1.linuxmafia.com what
> uncle-enzo.linuxmafia.com is?
> A:  198.144.195.186
> 
> 
> The same conversion with a recursive nameserver is
> shorter:
> 
> Q:  What is uncle-enzo.linuxmafia.com?  [Query
> would have the RD bit set.]
> A:  198.144.195.186  [Answer would have the RA
> bit set.]
> 
> 
> 
> If you direct that same query at a machine doing
> authoritative DNS only,
> and you're asking about _anything other than_ the domains
> it's publishing
> authoritative DNS for, then you get a whole lot of no
> information.
> 
> Q:  What is uncle-enzo.linuxmafia.com?  [Query
> would have the RD bit set.]
> A:  I don't know that. [Answer would have the RA bit
> UNset.]
> 
> Q:  OK, then can you get the root nameservers?
> A:  I don't know that.  [Answer would have the RA
> bit UNset.]
> 
> 
> Here's an example of the latter.  First, I find out
> which three
> nameservers Bank of America uses for its own
> bankofamerica.com domain. 
> For security and performance reasons, those three
> authoritative servers
> answer _only_ queries about the domain for which it's
> authoritative.  
> Notice the 'I don't know that' answer I get when I ask one
> of them about
> uncle-enzo.linuxmafia.com:
> 
> 
> $ dig -t ns bankofamerica.com +short
> ns1.bankofamerica.com.
> ns3.bankofamerica.com.
> ns4.bankofamerica.com.
> 
> $ dig uncle-enzo.linuxmafia.com @ns1.bankofamerica.com.
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
> id: 38605
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13,
> ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; AUTHORITY SECTION:
> .               
>        3600000 IN   
>   NS      H.ROOT-SERVERS.NET.
> .               
>        3600000 IN   
>   NS      F.ROOT-SERVERS.NET.
> .               
>        3600000 IN   
>   NS      G.ROOT-SERVERS.NET.
> .               
>        3600000 IN   
>   NS      I.ROOT-SERVERS.NET.
> .               
>        3600000 IN   
>   NS      M.ROOT-SERVERS.NET.
> .               
>        3600000 IN   
>   NS      L.ROOT-SERVERS.NET.
> .               
>        3600000 IN   
>   NS      C.ROOT-SERVERS.NET.
> .               
>        3600000 IN   
>   NS      J.ROOT-SERVERS.NET.
> .               
>        3600000 IN   
>   NS      E.ROOT-SERVERS.NET.
> .               
>        3600000 IN   
>   NS      B.ROOT-SERVERS.NET.
> .               
>        3600000 IN   
>   NS      D.ROOT-SERVERS.NET.
> .               
>        3600000 IN   
>   NS      A.ROOT-SERVERS.NET.
> .               
>        3600000 IN   
>   NS      K.ROOT-SERVERS.NET.
> $
> 
> 
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/
>

More information about the sf-lug mailing list