In article <c1p590$v89$1 at sf1.isc.org>,
When you specify +norec, it answers with whatever it has in its cache,
which in this case is the delegation records that came from the parent
domain's servers.

When you request recursion, it checks whether the cached information
came from an authoritative server. If not, it tries to ask the
authoritative servers.

I'm not sure why the recursive query is failing for you, though. I have
no problem querying any of the authoritative nameservers. However, it's
notable that your second dig returned the NS records in the Authority
Section rather than the Answer Section, and didn't include the glue A
records in the Additional Section. What version of BIND are you running
on the server?

Ladislav> I have issued the dig directly from the server.

Ladislav> [dxbins1:/]#dig ns af.mil @192.168.8.91

Ladislav> ;; connection timed out; no servers could be reached

Ladislav> [dxbins1:/]#dig ns af.mil @192.168.8.91 +norec

Ladislav> ... referral answer snipped ....

There will probably be a firewall or router in front of 192.168.8.91
that's blocking recursive DNS queries. This would not be unreasonable
if the administrator of 192.168.8.91 didn't want that server to handle
recursive DNS queries.

I am assuming you work for an ISP... I would bet that one
of your customers was attempting to do something nasty on
a US Air Force system and tripped one or more of the IDSs.
Therefore your entire block of IPs probably got blocked
at the AF perimeter.
__________________________________
Do you Yahoo!?
Get better spam protection with Yahoo! Mail.
http://antispam.yahoo.com/tools

Ladislav> I don't expect many this time, since as I have noticed isc
Ladislav> support became commercial, and post by person directly
Ladislav> from isc team in this 'still free mailing list' has
Ladislav> become so rare since that time....

Well what would you prefer Mark Andrews to do, answer questions here
when others are already answering them or work on the BIND code? Which
of these two things is the more important? BTW, ISC has been offering
commercial support for some time now and there has been no change to
the frequency of ISC postings here since then. There are probably
other reasons why Mark has been quieter than usual recently. For
example, there has recently been a bunch of new BIND releases and
there's a BIND9.3 in beta right now.....

Ladislav> will this list be considered now for "general help desk
Ladislav> questions" ?

You can consider this list to be whatever you like. The guarantees on
any information and response times in the list are worth what you're
paying for them. If you have a mission-critical DNS infrastructure --
and who doesn't? -- perhaps you should have a support contract that
reflects this instead of relying on the goodwill of the BIND user
mailing lists?

Ladislav> I personally think bind is great product and isc.org
Ladislav> great company, but feeling sad from the selective
Ladislav> approach perhaps isc is going to acquire now, about what
Ladislav> should be answered for free and what is going to be "3rd
Ladislav> line support" and people in the mailing list will never
Ladislav> see it, correct me if I am wrong

ISC is not a commercial software company. It gives its software away
for free. ISC even permits others to build commercial products on top
of it for free. ISC relies on donations to pay its staff, provide
computers and bandwidth for downloads, get electricity in its offices,
etc, etc. The programmers who bring us BIND have families to support
and bills to pay. Offering commercial support is (a) a service many
people want to buy; (b) a way of diversifying and extending ISC's
funding base. Both of these have to be Very Good Things.

Managements like to know all their hardware and software is covered by
support contracts, if only for the peace of mind. Anyone who can pay
for a BIND support contract should do that. Even if they don't really
need the support. What they'd then be doing is helping to sustain BIND
development by funding ISC. That's in everyone's best interests.

Ladislav> when you ask for ANY with a client with rd flag it
Ladislav> doesn't provide a records with cridibilityy level
Ladislav> 'glue', it returnsI believe only 'answer' and
Ladislav> 'authanswer' credibility,

No it doesn't: whatever "it" is. Maybe some other DNS implementation
might do something like that, but BIND clearly doesn't. The output
from the OP's dig postings showed that. As does the output for
ladislav.name.ae below.

BTW, the setting of header bits other than aa -- authoritative answer
-- are irrelevant to this discussion. All the rd bit does is tell the
server that's being queried that the client would like the server to
do recursion for them. Whether the server does that or not is a policy
decision. Most TLD servers have recursion disabled for obvious
reasons. [In fact no authoritative server should offer recursive
service, but that's a story for another time.] So when anything sets
the rd bit and queries the .com name servers (say), all they'll get
back is a referral to the delegated zone's name servers because the
.com name servers won't resolve www.google.com or whatever.

Ladislav> my point is how come the glue
Ladislav> from the parent is considered as a 'answer' credibility
Ladislav> in the mentioned case.

An answer is an answer. BIND's credibility ranking determines whether
certain responses are more trustworthy than others. For instance, the
Answer Section of an authoritative reply from an authoritative name
server is more believable than something in the Additional Section of
non-authoritative answer. This credibility ranking determines what
data goes in BIND's cache and how/when it gets replaced.

Data of low credibility can be cached -- after all it's better than
nothing -- but may well get displaced later by more credible data as a
name server comes across "better data" during routine operations. For
instance, it'll cache the referral info from a TLD: say the NS and any
glue records for google.com returned by the .com servers. This
response from the .com name servers is of course non-authoritative
because they don't serve google.com. But if the local name server then
looks up www.google.com, it'll query one of google.com's servers. This
should provide an answer that also includes definitive, authoritative
data about google.com's name servers and their addresses. That data
will be more credible than the referral data that was stored earlier.
So the old cached data gets displaced by the newer, more trustworthy
info from the google.com servers.

A QTYPE of ANY means "give me any records you have for this name".
That's all. So whatever is in the server's cache for that name gets
returned. This might or might not be all the RRs that exist for the
name. The response might or might not be authoritative. The data could
even be of different credibility weighting: a name's MX records might
have came from the Answer Section of an authoritative reply, but an A
or AAAA record for that name came from a referral or the Additional
Section of some other reply.

You seem to be under the impression that BIND's credibility weighting
to response data determines how it will resolve some query. It
doesn't. The server doesn't say to itself "I've only cached lowest
credibility data for this incoming query. Let's go and hunt for
definitive data from the zone's authoritatve servers and return that
to the client." The server answers from its cache if that has data
that will answer the query: credibility weighting doesn't come into
it. Otherwise it resolves the name, caches the responses during
resolving before returning an answer.

Ladislav> I have a sample domain ladislav.name.ae it has 5 fake
Ladislav> unreachable nameservers, there is no way you can get
Ladislav> them with rd flag using ANY or NS type, since they are
Ladislav> in the cache only as a glue.

So what?

Here's what I get when I lookup this domain:

% dig ladislav.name.ae any

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59905
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:
;ladislav.name.ae. IN ANY

;; ANSWER SECTION:
ladislav.name.ae. 10800 IN NS fake5.ladislav.name.ae.
ladislav.name.ae. 10800 IN NS fake1.ladislav.name.ae.
ladislav.name.ae. 10800 IN NS fake2.ladislav.name.ae.
ladislav.name.ae. 10800 IN NS fake3.ladislav.name.ae.
ladislav.name.ae. 10800 IN NS fake4.ladislav.name.ae.

;; AUTHORITY SECTION:
ladislav.name.ae. 10800 IN NS fake3.ladislav.name.ae.
ladislav.name.ae. 10800 IN NS fake4.ladislav.name.ae.
ladislav.name.ae. 10800 IN NS fake5.ladislav.name.ae.
ladislav.name.ae. 10800 IN NS fake1.ladislav.name.ae.
ladislav.name.ae. 10800 IN NS fake2.ladislav.name.ae.

;; ADDITIONAL SECTION:
fake1.ladislav.name.ae. 10800 IN A 10.1.1.1
fake2.ladislav.name.ae. 10800 IN A 10.2.2.2
fake3.ladislav.name.ae. 10800 IN A 10.3.3.3
fake4.ladislav.name.ae. 10800 IN A 10.4.4.4
fake5.ladislav.name.ae. 10800 IN A 10.5.5.5

;; Query time: 2596 msec

Note the long query time. The Answer Section contains your zone's NS
records and the A records for the glue is in the Additional Section. This
is how things are expected to be. So no surprises there then. Note too
that my server didn't try to query your servers for more info about
ladislav.name.ae. The referral was enough to populate my server's
cache with data, albeit not the most credible data, and so answer the
query I made with dig.

% dig fake1.ladislav.name.ae any

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39902
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 4

;; QUESTION SECTION:
;fake1.ladislav.name.ae. IN ANY

;; ANSWER SECTION:
fake1.ladislav.name.ae. 10684 IN A 10.1.1.1

;; AUTHORITY SECTION:
ladislav.name.ae. 10684 IN NS fake3.ladislav.name.ae.
ladislav.name.ae. 10684 IN NS fake4.ladislav.name.ae.
ladislav.name.ae. 10684 IN NS fake5.ladislav.name.ae.
ladislav.name.ae. 10684 IN NS fake1.ladislav.name.ae.
ladislav.name.ae. 10684 IN NS fake2.ladislav.name.ae.

;; ADDITIONAL SECTION:
fake2.ladislav.name.ae. 10684 IN A 10.2.2.2
fake3.ladislav.name.ae. 10684 IN A 10.3.3.3
fake4.ladislav.name.ae. 10684 IN A 10.4.4.4
fake5.ladislav.name.ae. 10684 IN A 10.5.5.5

;; Query time: 12 msec

Note the query time now. This is a local lookup. There's no attempt to
query these bogus name servers of yours. My server is answering
non-authoritatively from its cache. You can also see that from the
lower TTLs. My server is returning the glue record for
fake1.ladislav.name.ae that it cached from the previous lookup.

Ladislav> This seemed confusing to me, how come the answer from
Ladislav> the parent is sometimes considered answer and sometimes
Ladislav> as a glue?

An answer that you call "glue" -- it's actually a referral -- is still
an answer.

Ladislav> Does it depend on the rr type is NS records a different ?

Of course not. There is nothing magical about queries or answers for
NS records. In fact, name servers almost never query for NS records
explicitly. They learn about the NS records and the corresponding A or
AAAA records for some zone in the course of resolving.

Ladislav> what's so special about ANY?

Nothing. You just don't seem to understand what it means. A QYTPE of
ANY means "give me whatever RRs you have for this name". That's all.
See my earlier posting for more info.

Ladislav> Why any recursive servers don't do it's best to satisfy
Ladislav> the recursive client with the reply from the authoritative
Ladislav> server, that's why we call it recursive right?

Wrong. We call it recursive because the server is able to recursively
make iterative queries to resolve a query on behalf of some client.
It doesn't mean the server does that: it can answer from its cache
which might or might not have been populated with data returned from
earlier queries to authoritative servers. No assumptions can or should
be made about how a recursive server provides answers. It should of
course interrogate authoritative servers when nothing has been
cached. But that cannot be guaranteed. And even if it does query
authoritative servers, the answer might not be correct. The DNS is
loosely coupled remember. It can take time for a zone's authoritative
servers to converge on the same copy of the zone data after the zone
gets updated. They don't all update the zone simultaneously.

You seem to think that an ANY QTYPE means a server must retrieve every
RR for the name. That's not the case. In fact this is impossible. The
master server could change the RRs immediately after answering your
hypothetical EVERY query before that reply gets back to the client.
It's not even the case that a server must query an authoritative
server in order to respond to an ANY query.

Remember too that one of the key strengths of the DNS is caching. In
some sense this means that recursive servers are lazy. They'll answer
from cache every time unless there's nothing relevant in the cache and
they're forced to resolve something. This is why people need to think
carefully about TTL values. How many times have we seen postings here
where there's been a long-lived TTL for a web or mail server that then
gets renumbered and the poster whines that traffic still goes to the
old address even though they've updated the zone?

Ladislav> to do this kind of work for the
Ladislav> client, how can it take answer from the parent and
Ladislav> consider the task done?

Because that's how the DNS works.

Ladislav> I have problem with ladislav.name.ae

.... snipped ....

This appears to be either a wierd local set-up or else you have a
misunderstanding of what's going on.

Ladislav> It does, jim, and I have to say it, your reply is
Ladislav> incorrect, bind 8.3.4 and 9.3.0beta4 and 9.2.3 all of
Ladislav> these are reluctant to provide the answers to recursive
Ladislav> client if it cached with credibility *glue*.

If that's the case, please explain why my BIND9.3 server is perfectly
happy to return the glue it got for fake1.ladislav.name.ae after it
had cached a referral for ladislav.name.ae. That was clearly shown in
my earlier posting.

Ladislav> I have done some troubleshooting, and seems that there
Ladislav> are discrepancies amongst different bind servers how
Ladislav> they treat non-authoritative records let's call it glue,

No, let's call it "non-authoritative records". Glue is a specific
technical term that has a specific meaning.

Anyway, I'm not continuing this discussion as I've got nothing to add
to what I've already said.

Ladislav> firewall will limit only total traffic or static clients
Ladislav> (you have to configure in source ip), it will not
Ladislav> dynamically limit each random customer. It means
Ladislav> basically that the service will be non-responsive for
Ladislav> all, if the total traffic is exceeded.

You obviously haven't understood what I posted. A firewall doesn't
only completely block unwanted traffic. Some firewalls *do* provide
rate limiting. As, of course, do routers.

Ladislav> The rate limiting per customer or per ip is basic thing
Ladislav> that already many applications are using, apache,
Ladislav> sendmail, sunone, iplanet... have you noticed it ?

Of course. However an HTTP or SMTP transaction is a very different
beast from a DNS transaction.
Ladislav> Customers doing what they want, if bind can rate limit
Ladislav> them, they will ofcourse re-evaluate their behaviour,
Ladislav> because they will be forced to do it.

This is nonsense. First of all, the customers are probably not "doing
what they want". They're most likely doing what their ISP told them to
do a long time ago. Presumably neither the ISP or the customer at that
time had a clue about DNS operations and the pointless stupidity of
forwarding. [If they had, they wouldn't have configured a forwarding
setup.] The customers may well be blissfully unaware that their
forwarding name servers are pounding incessantly on the ISP's
server. The customers may well be running ancient DNS code. So they
could have name servers that don't implement negative caching asking
for the same non-existent names over and over again.

Ladislav> Since bind doesn't care about it, nobody cares, saying
Ladislav> that router will solve it? Will the router ensure that
Ladislav> *each* *random* customer will have let's say bw for
Ladislav> 20/req per second and not more, just think about it.

How someone choses to configure rate limiting on their routers is up
to them. In all likelihood, the excessive traffic will be coming from
a small number of IP addresses, so it would be trivial to make the
router rate-limit that traffic while not impeding the rest. Not that
rate limiting is the answer anyway. Applications and resolvers
sometimes do evil and stupid things when they get no response from the
DNS.

PS: I said in my earlier posting that anyone who wanted to see rate
limiting in BIND should feel free to contribute code. Since you seem
to think rate limiting DNS queries is a desirable thing to do, go
ahead. Implement it.

Ladislav> well, and I see you reply is very general one, have you
Ladislav> ever try to do such a thing?

No, but I know people who *have* to do this and discussed approaches
to rate limiting with them.

Ladislav> I was talking about dynamic rate limiting

Nobody else was. The OP was talking about query rate limiting hooks
for BIND. There was no mention of dynamic rate limiting. Until you
raised this non sequitur.

Ladislav> Most of the fw/routers don't support dynamic rate
Ladislav> limiting, and many developers know it and their
Ladislav> applications implement it, since it is a must today for
Ladislav> big public environements.

This is utterly irrelevant to the original discussion. DNS service is
not an application in the same sense as an HTTP or SMTP server is an
application. The same goes for the respective protocols. And as I
already said, BIND does not have hooks for limiting inbound
queries. For DNS queries That job is best done by a router in front of
the name server.

Ladislav> hmm, what is small for you, do you know that today
Ladislav> almost everybody has at least isdn,dsl,cable ? Do you
Ladislav> know that to fill the recursive-client queue on bind is
Ladislav> a piece of cake even for analog dial-up user? Do you
Ladislav> know, that bind doesn't even bother to log this or give
Ladislav> you a hint why and who doing this?

<scarcasm mode>
No. What's dsl? Do you mean to say a name server needs to be
configured and tuned for the environment where it gets deployed?
Fancy that!
</scarcasm mode>

Nicolas> Is there a good way to monitore the life about Root
Nicolas> Server ? (ping ? dig ? other ?) in order to be warn
Nicolas> when there is a problem.
Ladislav> it might be very simple way of saying you have a world
Ladislav> connectivity problems, I was doing it as well, maybe I
Ladislav> am still doing it, I have to check :-)

No you don't and this is not a good way of checking for "world
connectivity problems". Many of the root servers do anycasting. The
same IP address (well /24) is announced from many places on the
internet at once. So a poor RTT to one of these servers could be a
local routing or peering problem that has no bearing on a site's
"world connectivity". For example, there's an instance of the K root
server at Doha in Qatar. [See http://k.root-servers.org.] If your ISP
doesn't peer -- exchange routing info -- at that internet exchange,
queries from your net to k.root-servers.net could be going to London
or Frankfurt or....

Ladislav> when you run recursive servers, it might get very bussy
Ladislav> when the world connectivity is not there, it is very
Ladislav> difficult on current binds to figure out why it is
Ladislav> bussy, you can just guess, why you recursive queue is
Ladislav> full, it might be really different reasons, maybe single
Ladislav> nasty user, maybe lot of users with viruses, maybe
Ladislav> normal users but world connectivity problem....

So what? I fail to see how battering on the root servers can possibly
give someone any sort of insight into how busy or loaded their local
name servers are.

Ladislav> if you know immediatelly that you have this kind of
Ladislav> connectivity problems, you might possibly do some
Ladislav> action, like disable recursion, reload, and serve the
Ladislav> requests from the cache only, which is basically imho
Ladislav> better than having completely over-utilized server with
Ladislav> completely non-responsive service.

None of this is in any way relevant to monitoring the status of root
servers.

As I said before, DNS administrators should focus on making sure
*their* name servers were configured and operated correctly. This
would be much more helpful to everyone and a better use of resources
than monitoring the health of the root servers which are already
provisioned, configured and operated properly, as well as continually
monitored.