[dns-operations] Bind 9.8.0 intermittent problem withnon-recursive responses

George Barwood george.barwood at blueyonder.co.uk
Fri May 20 05:14:24 UTC 2011


----- Original Message ----- 
From: "Matthew Pounsett" <matt at conundrum.com>
To: "Carlos Vicente" <cvicente.lists at gmail.com>
Cc: <dns-operations at mail.dns-oarc.net>; <bind-users at lists.isc.org>
Sent: Friday, May 20, 2011 1:08 AM
Subject: Re: [dns-operations] Bind 9.8.0 intermittent problem withnon-recursive responses


> 
> While it's possible you have encountered a bug with BIND, it's generally a bad idea to mix recursive and authoritative service in the same process. 

Ok, yes, in practical terms it's questionable, depending on what your constraints are.

> The RFCs that define the resolution algorithms were never written with mixed service in mind, and there are conflicts that can result in undefined, and therefore unpredictable, behaviours.   It will be hard to determine which you're seeing without more specific information about the configuration of the servers in question (e.g. which zones they're actually authoritative for).  

But I disagree with your reasoning here. The reason is that software implementations often have bugs ( as here ),
or high loads may affect resources affecting the stability of one service or the other. There is a clear distinction between
recursive and non-recursive service, and there is no problem in  principle with providing both services on a single server.
The conceptual model is simply "if RD is set, send the request to the (logical) recursive server, otherwise send
the request to the (logical) authoritative server".
 
> You will particularly run into problems if you ever intend to do DNSSEC validation on these name servers.. it just won't work.

Well if it doesn't, that's an erroneous implementation or the load being too high.

George ( bind-users trimmed )



More information about the dns-operations mailing list