Re: Slightly OT: DNS force client to use authoritative
On Mon, Dec 18, 2006 at 12:45:19PM -0800, Karl R. Balsmeier wrote: Is there a specific way to set a name server so that clients are always *forced* to use an autoritative name server? What exactly do you mean? What are you trying to achieve? The DNS architecture looks like this: application | |(lib call) v resolver -- cache - authoritative (client) (recursive server server) The resolver has a hard-coded list of IP addresses of caches that it will use, typically only two. It sends the query to one of these, trying another if there is no response. The cache then looks at the domain name in the query, locates an authoritative server which contains that zone, and sends on the query. The response comes back, the cache keeps a copy, and passes it back to the resolver. There's a bit of a terminology problem here; each DNS transaction is a client-server exchange, so the cache is a client when talking to the authoritative server, and is a server when talking to the resolver. But by clients I presume you mean resolvers. However, DNS resolver libraries don't have the ability to locate authoritative servers by following NS records. This is analogous to E-mail client programs: they don't have the ability to locate target E-mail servers by following MX records, so they just send all their outgoing mail to a fixed smarthost machine. So I don't think your question has any meaning. Resolvers only know how to talk to caches, so if you forced them to talk only to authoritative nameservers, they would not be able to communicate at all (*). If you want a machine to run independently of any upstream DNS cache, then you can run a cache locally on that machine, and point the resolver at 127.0.0.1. But you still have not changed the architecture: the resolver is still using a cache, which just happens to be on the same machine. Brian. (*) Except for the special case where the cache is also authoritative for some zone, and the query happens to be for that zone.
Re: Slightly OT: DNS force client to use authoritative
On 12/18/06, Karl R. Balsmeier [EMAIL PROTECTED] wrote: Is there a specific way to set a name server so that clients are always *forced* to use an autoritative name server? UltraDNS and some others have mentioned little features they have, but it hints at the possibility that somewhere in the DNS spec. Or perhaps you're thinking of the RES_AAONLY option for the resolver routines documented in resolver(3)? RES_AAONLY Accept authoritative answers only. With this option, res_send() should continue until it finds an authoritative answer or finds an error. Currently this is not imple- mented. No one actually implements that because it would increase the load on the DNS and the latency for applications without providing any real benefit to them. Philip Guenther
Slightly OT: DNS force client to use authoritative
Is there a specific way to set a name server so that clients are always *forced* to use an autoritative name server? UltraDNS and some others have mentioned little features they have, but it hints at the possibility that somewhere in the DNS spec. -krb
Re: Slightly OT: DNS force client to use authoritative
On 12/18/06, Karl R. Balsmeier [EMAIL PROTECTED] wrote: Is there a specific way to set a name server so that clients are always *forced* to use an autoritative name server? Clients can not (or at least, should not) talk directly to authoritative name servers. Clients make their DNS requests with the recursion desired bit set, and should only speak to recursive resolvers. Those recursive resolvers make their requests without the recursion desired bit set and speak to authoritative servers, starting with the root servers. Some DNS servers, such as BIND, can run in both roles simultaneously with a single daemon. Others, such as djbdns, run seperate servers for each type of service (tinydns for authoritative, dnscache for a recursive resolver). -- Jon
Re: Slightly OT: DNS force client to use authoritative
On Monday, December 18, 2006, 15:45:19, Karl R. Balsmeier wrote: Is there a specific way to set a name server so that clients are always *forced* to use an autoritative name server? What do you mean by an authoritative name server? There is no single name server which is authoritative for every host in existence. Are you asking about BIND's delegation-only option? -- [EMAIL PROTECTED] The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. - Ambassador Kosh