Re: peventing dns cache from answering queries

To:	Peter Dambier <peter@cesidianroot.com>
Subject:	Re: peventing dns cache from answering queries
From:	Dean Anderson <dean@av8.com>
Date:	Thu, 7 Jun 2007 00:31:05 -0400 (EDT)
Cc:	dns@list.cr.yp.to
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	gmail-djbdns@securepoint.com
Delivered-to:	sp.com.list@gmail.com
Delivered-to:	mailing list dns@list.cr.yp.to
In-reply-to:	<4667167B.3080906@cesidianroot.com>
Mailing-list:	contact dns-help@list.cr.yp.to; run by ezmlm

On Wed, 6 Jun 2007, Peter Dambier wrote:

> There are two problems.
> 
> 1) Only an autoritative nameserver (tinydns, axfrdns) can refuse
>     recursion but dnscache is never authoritative.

True for the servers you name. But the difference between a recursor and
authority server is only the enabling/implementation of recursion, and
the presence of authority zones. Some people do have authority servers
recurse for them.  BIND, PowerDNS, etc can be configured to do this.  
There are some good reasons _not_ to do this, but there are some reasons
_to_ do it, too.  I do it, but I hesitate to recommend others do it.  
The primary advantage of such a setup is that DNS for your key domains
won't fail when/if you fall off the internet, doesn't fail internally if
your Domain fee is unpaid, etc.  By contrast, if you have all clients
talk to a strict recursor like dnscache, it will have to get a
referral(s) to resolve names even in your own domains on startup. By
pointing clients at the recursion/authority servers, you don't need to
get referrals from the roots, etc to get things going internally.  I
have authority servers either recurse or forward the request to a
recursor (e.g. powerdns -> dnscache).  I like to have DNS for internal
domains working early on restart.  [although, one might also be able to
prime the recursor cache with the right records, but I've never tried
that]

So, I think it would be 'strange, but possible' to have a recursor give
out a referral on a per-domain basis, with recursion on the others. I'm
still wondering the "why", though. But I can't think of any (eg RFC)
reason for "can't", except the lack of actual implementations that "do".

> 2) No client / nameserver who can do his own recursive nameresolution
>     will ever ask dnscache.

Yes. I didn't think of that. Good catch.

But I think we are missing something in the requirement for the original
problem.  Some more information would be helpful.

                --Dean

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000

<Prev in Thread]	Current Thread	[Next in Thread>
peventing dns cache from answering queries, gustavo . rios Re: peventing dns cache from answering queries, Dean Anderson Re: peventing dns cache from answering queries, Peter Dambier Re: peventing dns cache from answering queries, Dean Anderson <= Re: peventing dns cache from answering queries, Jeremy Kitchen

Previous by Date:	Re: peventing dns cache from answering queries, Jeremy Kitchen
Next by Date:	redirecting time service, Chris Smith
Previous by Thread:	Re: peventing dns cache from answering queries, Peter Dambier
Next by Thread:	Re: peventing dns cache from answering queries, Jeremy Kitchen
Indexes:	[Date] [Thread] [Top] [All Lists]