Is there a specific way to set a name server so that clients are always *forced* to use an autoritative name server?
UltraDNS and some others have mentioned little features they have, but it only hints at the possibility that somewhere in the DNS spec.
-karlski
Is there a specific way to set a name server so that clients are always *forced* to use an autoritative name server?
UltraDNS and some others have mentioned little features they have, but it only hints at the possibility that somewhere in the DNS spec.
Are you trying to make sure that the clients do not use cached lookups? If so you could use max-cache-ttl and max-ncache-ttl with a very low ttl like 1 second. Although then you still have a problem with the client itself caching the lookup.
Matthew Martz wrote:
Is there a specific way to set a name server so that clients are always *forced* to use an autoritative name server?
UltraDNS and some others have mentioned little features they have, but it only hints at the possibility that somewhere in the DNS spec.
Are you trying to make sure that the clients do not use cached lookups? If so you could use max-cache-ttl and max-ncache-ttl with a very low ttl like 1 second. Although then you still have a problem with the client itself caching the lookup.
More such that the client can cache it, but not a 'server in between', *only* the authoritative box... Hopefully that makes sense, i'm basically asking on behalf of our CTO and just mentioned your question... The answer to which is yes, trying to not use cached lookups.... Trying to pick through the proposals and determine what it is they (ultradns and Savvis ITM features are relying on)...
-karlski
On Monday 18 December 2006 12:52 pm, Karl R. Balsmeier wrote:
More such that the client can cache it, but not a 'server in between', *only* the authoritative box... Hopefully that makes sense, i'm basically asking on behalf of our CTO and just mentioned your question... The answer to which is yes, trying to not use cached lookups.... Trying to pick through the proposals and determine what it is they (ultradns and Savvis ITM features are relying on)...
So what you want to do is for _every_ lookup not already in your cache you'd want to do separate non-recursive lookups at each nameserver (try the "dig +trace example.com" command to see what I mean) instead of one recursive lookup?
Sure if you can find or write a resolver that'll ask the nameservers the right questions; it's got nothing to do with the DNS servers; they just supply (or fail to supply) the record they're asked for.
You can ask the question on bind-users but be prepared to be flamed.
Jeff
On Fri, 2006-12-22 at 08:25 -0800, Jeff Lasman wrote:
More such that the client can cache it, but not a 'server in between', *only* the authoritative box... Hopefully that makes sense, i'm basically asking on behalf of our CTO and just mentioned your question... The answer to which is yes, trying to not use cached lookups.... Trying to pick through the proposals and determine what it is they (ultradns and Savvis ITM features are relying on)...
So what you want to do is for _every_ lookup not already in your cache you'd want to do separate non-recursive lookups at each nameserver (try the "dig +trace example.com" command to see what I mean) instead of one recursive lookup?
Sure if you can find or write a resolver that'll ask the nameservers the right questions; it's got nothing to do with the DNS servers; they just supply (or fail to supply) the record they're asked for.
You can ask the question on bind-users but be prepared to be flamed.
This is a fairly anti-social thing to do since you'll be unnecessarily bothering the authoritative servers (and probably walking down to them from the root servers) for every answer instead of using the caching infrastructure designed and put in place to avoid this load.
On Friday 22 December 2006 11:03 am, Les Mikesell wrote:
This is a fairly anti-social thing to do since you'll be unnecessarily bothering the authoritative servers (and probably walking down to them from the root servers) for every answer instead of using the caching infrastructure designed and put in place to avoid this load.
I agree; that's why I wrote "prepare to be flamed".
Jeff
Karl R. Balsmeier wrote:
Is there a specific way to set a name server so that clients are always *forced* to use an autoritative name server?
UltraDNS and some others have mentioned little features they have, but it only hints at the possibility that somewhere in the DNS spec.
I don't know what clients you are talking about but those clients need to be able to follow referrals. With named, you can turn off recursion support. It will then refer clients to the next appropriate authority like the root servers who will, in turn, refer them to the appropriate name servers and so on until an authoritative name server is reached.
I hope this is what you want.
Feizhou wrote:
I don't know what clients you are talking about but those clients need to be able to follow referrals. With named, you can turn off recursion support. It will then refer clients to the next appropriate authority like the root servers who will, in turn, refer them to the appropriate name servers and so on until an authoritative name server is reached.
Nope. Clients don't need to be able to follow referrals. Clients (resolver libraries) are allowed to be dumb and require DNS server that will do recursive lookup for them.
Aleksandar Milivojevic wrote:
Feizhou wrote:
I don't know what clients you are talking about but those clients need to be able to follow referrals. With named, you can turn off recursion support. It will then refer clients to the next appropriate authority like the root servers who will, in turn, refer them to the appropriate name servers and so on until an authoritative name server is reached.
Nope. Clients don't need to be able to follow referrals. Clients (resolver libraries) are allowed to be dumb and require DNS server that will do recursive lookup for them.
For his stated purpose yes they do: "that clients are always *forced* to use an autoritative name server". I take that to mean that those clients will be able to go ask an authoritative server which means they need to be able to find the authoritative server and that means following referrals.
Feizhou wrote:
For his stated purpose yes they do: "that clients are always *forced* to use an autoritative name server". I take that to mean that those clients will be able to go ask an authoritative server which means they need to be able to find the authoritative server and that means following referrals.
Yeah. But the problem is (in my experience) that people sometimes want clients to get authoritative answers for cosmetic reasons, not realizing some of their clients have crippled resolvers, and than they get into trouble. It is best to let the name server do the resolving (and deal with the problems on that level).
Yeah. But the problem is (in my experience) that people sometimes want clients to get authoritative answers for cosmetic reasons, not realizing some of their clients have crippled resolvers, and than they get into trouble. It is best to let the name server do the resolving (and deal with the problems on that level).
Hence my 'I hope this is what you want'. I think djb's dns resolver library does this but I am not sure.
-
Aleksandar Milivojevic -
Feizhou -
Jeff Lasman -
Karl R. Balsmeier -
Les Mikesell -
Matthew Martz