Re: per-zone-recursion?

[Joerg Dorchain]

On Mon, Oct 04, 2010 at 11:30:03AM +0200, Kalman Feher wrote:
  
  probably it was not thought because it's wrong.
  
  This point is getting religious now, IMHO.
 Bear in mind that your rationale is based on getting an inaccessible DNS
 server to return information that a client has correctly asked for. I can't
 imagine a situation where there'll be a strong desire to codify that kind of
 set up. If your DNS server is not accessible to clients that need to query
 it for data, your set up is wrong. That isn't religious, that is practical
 reality. 

I was more with with lack of arguments or explanations. So thank
you for writing a few words about it. I am completely with you
for all practical aspects. However, I am still surprised that
reverse-proxy-functionality causes that much irritation. For
other protocols, esp. in the days of NAT, it is common practice,
although most likely still not a clean design.

  
  less palatable option:
  
  1. Make the other DNS software available on another IP. So normal DNS
  behaviour works.
  
  Hm, this is not too easy in practice, but of course optimal solution.
  IPv6 will help here, I hope.
  
  I don't think this will solve the problem, it will just be a workaround for
  it.
  
  With IPv6, I see much better chances of having more than one
  address available, which would make the best architectural solution
  a practical one as well.
 I think you need to consider your architectural design in a different light.
 Address availability is not your problem. Your solution seems to be a work
 around built on a work around. Ask yourself: am I using DNS to fix a
 problem or shortcoming in another system?. If yes, fix the other system
 instead. 

Yes, this a fix for undesired behaviour of another system, if
you want to put it like this. Unfortunately, the other system is
out of influence. 

I was wondering if there is an easy support in bind for this kind
of situation. Obviously, there is none. No problem with that. It
is a cornercase, and, as you (and others) pointed out,  not a
clean design anyway.
At least, I appreciate the clear view how things should be. If
you think it is abuse the transport real-time data with DNS, I am
ok with that.
Maybe studying the sources helps me for practical matters.

 To be more accurate, the reasons people think they need a TTL of 0 indicate
 they are using DNS incorrectly. Often it is an attempt at working around the
 restrictions of other systems. Hence the guess at load balancing. What data
 are you providing that changes second to second and must be provided using
 DNS? 

I am thinking of situations where no real connectivity is
available but just DNS, and am currently trying to find out how
well bind combines with anything-over-dns implementations. Hence
the separate server software.

Bye,

Joerg
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: per-zone-recursion?

[Kalman Feher]

On 1/10/10 9:15 AM, Joerg Dorchain jo...@dorchain.net wrote:

 On Thu, Sep 30, 2010 at 07:13:11PM -0400, Kevin Darcy wrote:
 Per-zone recursion control doesn't exist in BIND, because frankly it
 doesn't make sense.
 
 I used to think that, too, until I came to my specific problem.
 
 Either a zone type is meaningless *without* recursion (type forward,
 type stub), or recursion is *unnecessary* because the nameserver
 answers from authoritative data (type master, type slave).
 
 Exactly. Up to here I completely agree.
 
 Put another way, have you thought through exactly what you want to
 happen if a client queries something not specifically carved out for
 recursion, e.g. isc.org?
 
 Yes. To explain my setup further, there is a view based on
 src-IPs for some clients, where recursion is turned on.
 The rest of the world gets non-recursive answers, e.g. with
 authoritative data, or refused.
 
 In case of that specfic forward zone, bind answers in the
 non-recursive case with a referal to itself (there is only one
 public IP), which is causing a loop, as there is no way to
 specify a different port in the DNS protocol (AFAIK)
This is the problem and the reason I agree with Kevin.  The referral is
correct behaviour. Your DNS set up is wrong. You have 2 choices and a third
less palatable option:

1. Make the other DNS software available on another IP. So normal DNS
behaviour works.

2. Add the zone as a slave within your authoritative view. (this option may
be the easiest for your situation).

3. recursive view with forwards to both your authoritative view and the
dynamic subdomain. I think this solution is silly and will be problematic to
maintain, but its likely to suite your needs exactly.


 
 The response from a BIND instance, when recursion is denied or not
 requested, is always either (as per Section 4.3.1 of RFC 1034):
 a) an answer from authoritative data,
 b) an answer from cache
 c) a negative-caching response,
 d) a (0 answers) referral, or
 e) some sort of non-response, like an error (SERVFAIL) or an
 administrative rejection of the query (REFUSED)
 
 If (a) doesn't apply (because not authoritative) and neither does
 (b) (because how can answers be cached in the first place if
 recursion is being denied?), that leaves (c) through (e), none of
 which are particularly useful to the client. So you might as well
 REFUSE queries outside of zones for which recursion is not
 explicitly enabled. Configure allow-query { none; }; as the
 default followed by specific exceptions for the zones you want to
 open up, e.g., dynsup.example.net.
 
 You have summarized my thoughts very well. At this point I found
 out that the current grammar for bind does not allow to combine
 type forward; with an allow-query (or allow-recursion).
 
 A quick look at the sources also showed that forward zones are
 implemented differently than real zones like master or slave.
 
 This way I came to the point where I am wondering if it is
 possible to configure bind either
 - do recursion on a per-zone base for forward zones, as the
   currently implemented criteria (src-ip, dst-ip, recursion flag)
   do not cover my case in an obvious way
 - forward queries to a specific destination and the answers back,
   acting as a reverse-proxy without too much intelligence.
 
 Bye,
 
 Joerg
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Kal Feher 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: per-zone-recursion?

[Joerg Dorchain]

On Fri, Oct 01, 2010 at 11:25:31AM +0200, Kalman Feher wrote:
  Yes. To explain my setup further, there is a view based on
  src-IPs for some clients, where recursion is turned on.
  The rest of the world gets non-recursive answers, e.g. with
  authoritative data, or refused.
  
  In case of that specfic forward zone, bind answers in the
  non-recursive case with a referal to itself (there is only one
  public IP), which is causing a loop, as there is no way to
  specify a different port in the DNS protocol (AFAIK)
 This is the problem and the reason I agree with Kevin.  The referral is
 correct behaviour. Your DNS set up is wrong. You have 2 choices and a third

Well, I could agree agree that wrong means not thought of by
RfC-Designers and bind implementators (yet).

 less palatable option:
 
 1. Make the other DNS software available on another IP. So normal DNS
 behaviour works.

Hm, this is not too easy in practice, but of course optimal solution.
IPv6 will help here, I hope.
 
 2. Add the zone as a slave within your authoritative view. (this option may
 be the easiest for your situation).

Not feasible as it contains dynamically generated content,
typically with a TTL of 0.
 
 3. recursive view with forwards to both your authoritative view and the
 dynamic subdomain. I think this solution is silly and will be problematic to
 maintain, but its likely to suite your needs exactly.

Hm, I have to think about that. As said, I do not want to give
recursive answers to the whole world. It sounds like a hack, though.

The more I am into the problem, the more I come to the point
where I like to have some sort of query switch, i.e. something
that redirects queries for a certain domain to one address, and
other queries to other servers. It would be great if it would be part
of bind.

Bye,

Joerg


signature.asc
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: per-zone-recursion?

[Matus UHLAR - fantomas]

   Yes. To explain my setup further, there is a view based on
   src-IPs for some clients, where recursion is turned on.
   The rest of the world gets non-recursive answers, e.g. with
   authoritative data, or refused.
   
   In case of that specfic forward zone, bind answers in the
   non-recursive case with a referal to itself (there is only one
   public IP), which is causing a loop, as there is no way to
   specify a different port in the DNS protocol (AFAIK)

 On Fri, Oct 01, 2010 at 11:25:31AM +0200, Kalman Feher wrote:
  This is the problem and the reason I agree with Kevin.  The referral is
  correct behaviour. Your DNS set up is wrong. You have 2 choices and a third

On 01.10.10 12:39, Joerg Dorchain wrote:
 Well, I could agree agree that wrong means not thought of by
 RfC-Designers and bind implementators (yet).

probably it was not thought because it's wrong. 

  less palatable option:
  
  1. Make the other DNS software available on another IP. So normal DNS
  behaviour works.
 
 Hm, this is not too easy in practice, but of course optimal solution.
 IPv6 will help here, I hope.

I don't think this will solve the problem, it will just be a workaround for
it.

  2. Add the zone as a slave within your authoritative view. (this option may
  be the easiest for your situation).
 
 Not feasible as it contains dynamically generated content,
 typically with a TTL of 0.

this strongly indicates that there's something broken in your DNS. The DNS
is not designed to provide anything that short-lived, the whole DNS
architecture is based on cachind.

Are you doing any kind of DNS-based load balancing?
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: per-zone-recursion?

[Joerg Dorchain]

On Fri, Oct 01, 2010 at 05:39:16PM +0200, Matus UHLAR - fantomas wrote:
 
 On 01.10.10 12:39, Joerg Dorchain wrote:
  Well, I could agree agree that wrong means not thought of by
  RfC-Designers and bind implementators (yet).
 
 probably it was not thought because it's wrong. 

This point is getting religious now, IMHO.
 
   less palatable option:
   
   1. Make the other DNS software available on another IP. So normal DNS
   behaviour works.
  
  Hm, this is not too easy in practice, but of course optimal solution.
  IPv6 will help here, I hope.
 
 I don't think this will solve the problem, it will just be a workaround for
 it.

With IPv6, I see much better chances of having more than one
address available, which would make the best architectural solution
a practical one as well.
 
   2. Add the zone as a slave within your authoritative view. (this option 
   may
   be the easiest for your situation).
  
  Not feasible as it contains dynamically generated content,
  typically with a TTL of 0.
 
 this strongly indicates that there's something broken in your DNS. The DNS
 is not designed to provide anything that short-lived, the whole DNS
 architecture is based on cachind.

Yes, DNS works best with caching. I know that this setup is a
corner case and very individual (If would had two public IPs then
I would be fine)

To be a bit polemic, if you think it is wrong, TTL of 0 should be
forbidden, I suppose.
 
 Are you doing any kind of DNS-based load balancing?

No, then multiple A records or so would be just fine.

Bye,

Joerg


signature.asc
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

per-zone-recursion?

[Joerg Dorchain]

Hello,

I am puzzled with a bind config for a kind of dns-reverse-proxy situation.

I have a server with only one public IP addresse, bind running on
port 53 of it.
This bind serves examples.net. A subdomain dynsub.example.net
should be served on some other software answering DNS request
with dynamically generated answers.

I can create a forward zone like this
zone dynsup.example.net {
  type forward;
  forward only;
  forwarders { 127.0.0.1 port 5353; };
};

which works fine in the way that it forwards all queries to and
all answers from the other DNS software running on port 5353, but
- this is problem - only if the view with the statement allows
recursion.

For several reasons I do not want to answer all queries for all
domains recursivly, just those for that one zone.

When I turn recursion off, bind answers with a referal to itself
(glue records work ;-), which in this case is not helpful.

Does anybody have an idea on how I can persuade bind to answer
only this zone recusivly?

TIA,

Joerg



signature.asc
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: per-zone-recursion?

[Kevin Darcy]

Per-zone recursion control doesn't exist in BIND, because frankly it 
doesn't make sense.


Either a zone type is meaningless *without* recursion (type forward, 
type stub), or recursion is *unnecessary* because the nameserver answers 
from authoritative data (type master, type slave).


Put another way, have you thought through exactly what you want to 
happen if a client queries something not specifically carved out for 
recursion, e.g. isc.org?


The response from a BIND instance, when recursion is denied or not 
requested, is always either (as per Section 4.3.1 of RFC 1034):

a) an answer from authoritative data,
b) an answer from cache
c) a negative-caching response,
d) a (0 answers) referral, or
e) some sort of non-response, like an error (SERVFAIL) or an 
administrative rejection of the query (REFUSED)


If (a) doesn't apply (because not authoritative) and neither does (b) 
(because how can answers be cached in the first place if recursion is 
being denied?), that leaves (c) through (e), none of which are 
particularly useful to the client. So you might as well REFUSE queries 
outside of zones for which recursion is not explicitly enabled. 
Configure allow-query { none; }; as the default followed by specific 
exceptions for the zones you want to open up, e.g., dynsup.example.net.




- Kevin


On 9/30/2010 5:09 AM, Joerg Dorchain wrote:

Hello,

I am puzzled with a bind config for a kind of dns-reverse-proxy situation.

I have a server with only one public IP addresse, bind running on
port 53 of it.
This bind serves examples.net. A subdomain dynsub.example.net
should be served on some other software answering DNS request
with dynamically generated answers.

I can create a forward zone like this
zone dynsup.example.net {
   type forward;
   forward only;
   forwarders { 127.0.0.1 port 5353; };
};

which works fine in the way that it forwards all queries to and
all answers from the other DNS software running on port 5353, but
- this is problem - only if the view with the statement allows
recursion.

For several reasons I do not want to answer all queries for all
domains recursivly, just those for that one zone.

When I turn recursion off, bind answers with a referal to itself
(glue records work ;-), which in this case is not helpful.

Does anybody have an idea on how I can persuade bind to answer
only this zone recusivly?

TIA,

Joerg

   



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users