In message <756753830.5253999.1447625854773.javamail.ya...@mail.yahoo.com>, Gor don Freeman writes: > option: auth-nxdomain > > I see the default for this is no, but what exactly are the ramifications > of setting this to yes?
RFC 1034 or RFC 1035 stated that NXDOMAIN will always be authoritative (can't remember which). Setting this to yes allows clients that look for the "aa" bit on NXDOMAIN to accept the answer. Modern nameservers set the "aa" bit to reflect if this a authoritative answer (aa=1) or a cached answer (aa=0). This really hasn't been a issues in decades. > I have a tiered architecture for name servers, where down-level servers > do forwarding for unknown domains. Will setting auth-nxdomain to yes > prevent continual forwarding of queries of non-existent domain names? > > I'm hoping the answer is yes, so that once an NXDOMAIN response is > received by the name server, it will not forward repeated queries for > that same name, at least for as long as the negative cache TTL. Thanks. Named does that by default. Not all authoritative sources however provide a cachable negative answer. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
