subject:"Re\: forward first\: iterative or recursive query"

Re: forward first: iterative or recursive query

2011-05-06 Thread Kevin Darcy


On 5/6/2011 6:40 AM, iharrathi@orange-ftgroup.com wrote:

Thanks for the answer but:

   *
  In the example i post yesterday: on my server1 the recursion is
  enabled (recursion yes), but the server1 can't recurse because i
  stop it on firewall and it can't contact the outside.
   *
  You say "Don't use forwarding from a recursive server to a
  non-recursive server" but when my server1 is recursive (and the
  firewall allow it to contact the outside), and server2 don't
  recurse because in it's conf recursion is set to no, when i ask
  my server1 about ftp.example.com <ftp://ftp.example.com> (dig @0
  ftp.example.com <ftp://ftp.example.com>) , server1 forward the
  query to server2 which answer by the CNAME www.abc.com
  <http://www.abc.com> and then server1 recurse to find the IP of
  www.abc.com <http://www.abc.com>. and everything works fine.

   *
  you say "If server 2 is auth-only or otherwise can't resolve the
  address of www.abc.com <http://www.abc.com/>, then forwarding a
  query to it is not going to work." No as i say when server1
  really recurse ( recursion yes, and the firewall allow the
  server1 to contact outside) and server2 don't recurse (recursion
  no) all is ok: server1 forward the query to server2 which answer
  by the CNAME www.abc.com <http://www.abc.com/> and then server1
  recurse to find the IP of www.abc.com <http://www.abc.com/>. and
  everything works fine.
   *
  You say "then using a stub zone for example.com
  <http://example.com/>will work", why i will use a stub zone
  since  a forward do the same thing expected.

And my question is always this:
forward only; as i read means a recursive query, in other term a query 
with the RD bit is enabled. which means that when my server1 (which 
has recursion yes but can't recurse because the firewall don't 
allow it to contact the outside, which finally means server1 can't 
recuse) ask server2 about ftp.example.com <ftp://ftp.example.com>, 
server2 will normally make all the work means he read on it's zone, 
then find the CNAME, then make a recursion to resolve the CNAME and 
finally send the IP to server1.

why server2 don't recurse to find the IP of www.abc.com?
According to your own words: "server2 don't [sic] recurse because in 
it's [sic] conf recursion is set to no". There's your answer.


Why are you dealing with such screwy configs anyway? If you need to 
resolve things from the Internet, then you need to have a resolution 
path to the Internet (either directly talking to Internet nameservers, 
or some forwarding chain -- hopefully as short as possible, preferably 
0-length -- to something that can query Internet nameservers directly). 
If, on the other hand, you need to resolve something internal, then you 
only need to have an authoritative source of that information 
internally. Why are you complicating things more than they need to be? 
Setting recursion and then blocking it via a firewall? What purpose does 
that serve?




- Kevin

thanks for your help.


*De :* Chris Buxton [mailto:chris.p.bux...@gmail.com]
*Envoyé :* jeudi 5 mai 2011 19:47
*À :* HARRATHI Issam Ext OLNC/DPS
*Cc :* bind-users@lists.isc.org
*Objet :* Re: forward first: iterative or recursive query

If recursion is disabled, forwarding doesn't happen. I think
you've confused some terms and configurations.

Don't use forwarding from a recursive server to a non-recursive
server. Use a stub zone instead, if you can't rely on the
recursion process to find the correct server to query.

If server 2 is auth-only or otherwise can't resolve the address of
www.abc.com <http://www.abc.com>, then forwarding a query to it is
not going to work. However, if server 1 is a caching server and is
able to resolve www.abc.com <http://www.abc.com>, then using a
stub zone for example.com <http://example.com> will work; server 2
will send the CNAME record to server 1, and then server 1 will
resolve the final address record on its own.

Chris Buxton
BlueCat Networks

On May 5, 2011, at 2:15 AM, mailto:iharrathi@orange-ftgroup.com>>
mailto:iharrathi@orange-ftgroup.com>> wrote:


Hi,
i have a server called server1 that is acting as a cache server(
recursion none). And i forward the zone example.com
<http://example.com> to server2 which has recursion enabled and
master on some zone like example.com <

Re: forward first: iterative or recursive query

2011-05-06 Thread David Sparro


On 5/6/2011 6:40 AM, iharrathi@orange-ftgroup.com wrote:

Thanks for the answer but:



  You say "Don't use forwarding from a recursive server to a
  non-recursive server" but when my server1 is recursive (and the
  firewall allow it to contact the outside), and server2 don't
  recurse because in it's conf recursion is set to no, when i ask my
  server1 about ftp.example.com  (dig @0
  ftp.example.com ) , server1 forward the
  query to server2 which answer by the CNAME www.abc.com
   and then server1 recurse to find the IP of
  www.abc.com . and everything works fine.

And my question is always this:
forward only; as i read means a recursive query, in other term a query
with the RD bit is enabled. which means that when my server1 (which has
recursion yes but can't recurse because the firewall don't allow it to
contact the outside, which finally means server1 can't recuse) ask
server2 about ftp.example.com , server2 will
normally make all the work means he read on it's zone, then find the
CNAME, then make a recursion to resolve the CNAME and finally send the
IP to server1.



why server2 don't recurse to find the IP of www.abc.com?
thanks for your help.


Because you told it not to "> server2 don't recurse because in it's conf 
recursion is set to no"


--
Dave
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: forward first: iterative or recursive query

2011-05-06 Thread iharrathi.ext

Thanks for the answer but:

 *
In the example i post yesterday: on my server1 the recursion is enabled 
(recursion yes), but the server1 can't recurse because i stop it on firewall 
and it can't contact the outside.
 *
You say "Don't use forwarding from a recursive server to a non-recursive 
server" but when my server1 is recursive (and the firewall allow it to contact 
the outside), and server2 don't recurse because in it's conf recursion is set 
to no, when i ask my server1 about ftp.example.com<ftp://ftp.example.com> (dig 
@0 ftp.example.com<ftp://ftp.example.com>) , server1 forward the query to 
server2 which answer by the CNAME www.abc.com<http://www.abc.com> and then 
server1 recurse to find the IP of www.abc.com<http://www.abc.com>. and 
everything works fine.
 *
you say "If server 2 is auth-only or otherwise can't resolve the address of 
www.abc.com<http://www.abc.com/>, then forwarding a query to it is not going to 
work." No as i say when server1 really recurse ( recursion yes, and the 
firewall allow the server1 to contact outside) and server2 don't recurse 
(recursion no) all is ok: server1 forward the query to server2 which answer by 
the CNAME www.abc.com<http://www.abc.com/> and then server1 recurse to find the 
IP of www.abc.com<http://www.abc.com/>. and everything works fine.
 *
You say "then using a stub zone for example.com<http://example.com/> will 
work", why i will use a stub zone since  a forward do the same thing expected.

And my question is always this:
forward only; as i read means a recursive query, in other term a query with the 
RD bit is enabled. which means that when my server1 (which has recursion yes 
but can't recurse because the firewall don't allow it to contact the outside, 
which finally means server1 can't recuse) ask server2 about 
ftp.example.com<ftp://ftp.example.com>, server2 will normally make all the work 
means he read on it's zone, then find the CNAME, then make a recursion to 
resolve the CNAME and finally send the IP to server1.
why server2 don't recurse to find the IP of www.abc.com?

thanks for your help.



De : Chris Buxton [mailto:chris.p.bux...@gmail.com]
Envoyé : jeudi 5 mai 2011 19:47
À : HARRATHI Issam Ext OLNC/DPS
Cc : bind-users@lists.isc.org
Objet : Re: forward first: iterative or recursive query

If recursion is disabled, forwarding doesn't happen. I think you've confused 
some terms and configurations.

Don't use forwarding from a recursive server to a non-recursive server. Use a 
stub zone instead, if you can't rely on the recursion process to find the 
correct server to query.

If server 2 is auth-only or otherwise can't resolve the address of 
www.abc.com<http://www.abc.com>, then forwarding a query to it is not going to 
work. However, if server 1 is a caching server and is able to resolve 
www.abc.com<http://www.abc.com>, then using a stub zone for 
example.com<http://example.com> will work; server 2 will send the CNAME record 
to server 1, and then server 1 will resolve the final address record on its own.

Chris Buxton
BlueCat Networks

On May 5, 2011, at 2:15 AM, 
mailto:iharrathi@orange-ftgroup.com>> 
mailto:iharrathi@orange-ftgroup.com>> 
wrote:

Hi,
i have a server called server1 that is acting as a cache server( recursion 
none). And i forward the zone example.com<http://example.com> to server2 which 
has recursion enabled and master on some zone like 
example.com<http://example.com>.
 this is the forwarding zone on server1:
zone "example.com<http://example.com>" {
type forward;
forward only;
forwarders { IP_of server2;  };
};
and server2 is master of the zone example.com<http://example.com>:

zone "example.com<http://example.com>" {
type master;
file "master/db.example.com";
};


BUT the problem is here:
db.example.com<http://db.example.com>:

$ORIGIN example.com<http://example.com>.
www   A1.2.3.4
ftp  CNAME  www.abc.com<http://www.abc.com/>



server1 can resolve www.example.com<http://www.example.com/>, but can't resolve 
ftp.example.com<ftp://ftp.example.com> since the server2 sends the answer which 
is www.abc.com<http://www.abc.com/> and not the IP, and my server1 can't make 
recursion to resolve www.abc.com<http://www.abc.com/>.

why?
from server1 when i dig on server2: dig @IP-server2 
www.example.com<http://www.example.com/> it sends to me the IP, all is OK!!! 
but with a forwarding statement it sends only the CNAME

server1 is bind9.6-ESV-R4  et server2 bind-9.4.2

Thanks.
Issam HARRATHI


De : Chris Buxton [mailto:chris.p.bux...@g

Re: forward first: iterative or recursive query

2011-05-05 Thread Chris Buxton

If recursion is disabled, forwarding doesn't happen. I think you've confused 
some terms and configurations.

Don't use forwarding from a recursive server to a non-recursive server. Use a 
stub zone instead, if you can't rely on the recursion process to find the 
correct server to query.

If server 2 is auth-only or otherwise can't resolve the address of www.abc.com, 
then forwarding a query to it is not going to work. However, if server 1 is a 
caching server and is able to resolve www.abc.com, then using a stub zone for 
example.com will work; server 2 will send the CNAME record to server 1, and 
then server 1 will resolve the final address record on its own.

Chris Buxton
BlueCat Networks

On May 5, 2011, at 2:15 AM,  
 wrote:

> Hi,
> i have a server called server1 that is acting as a cache server( recursion 
> none). And i forward the zone example.com to server2 which has recursion 
> enabled and master on some zone like example.com.
>  this is the forwarding zone on server1:
> zone "example.com" {
> type forward;
> forward only;
> forwarders { IP_of server2;  };
> };
> and server2 is master of the zone example.com:
> 
> zone "example.com" {
> type master;
> file "master/db.example.com";
> };
>  
>  
> BUT the problem is here:
> db.example.com:
> 
> $ORIGIN example.com.
> www   A1.2.3.4
> ftp  CNAME  www.abc.com
>  
>  
>  
> server1 can resolve www.example.com, but can't resolve ftp.example.com since 
> the server2 sends the answer which is www.abc.com and not the IP, and my 
> server1 can't make recursion to resolve www.abc.com.
>  
> why?
> from server1 when i dig on server2: dig @IP-server2 www.example.com it sends 
> to me the IP, all is OK!!! but with a forwarding statement it sends only the 
> CNAME
>  
> server1 is bind9.6-ESV-R4  et server2 bind-9.4.2
>  
> Thanks.
> Issam HARRATHI
> 
> De : Chris Buxton [mailto:chris.p.bux...@gmail.com] 
> Envoyé : mercredi 4 mai 2011 08:49
> À : HARRATHI Issam Ext OLNC/DPS
> Cc : bind-users@lists.isc.org
> Objet : Re: forward first: iterative or recursive query
> 
> With a static-stub zone, you would get an iterative query. Forwarding always 
> results in a recursive query.
> 
> How are you determining that your server is sending an iterative query?
> 
> Can we (the list) see your named.conf?
> 
> Regards,
> Chris Buxton
> BlueCat Networks
> 
> On May 3, 2011, at 5:21 AM,  
>  wrote:
> 
>> Hi
>> from the book DNS and Bind 5th edition [french] (o'reilly)
>> I read that the forward with the mode first sends a recursive query to the 
>> servers on the forwarders list, but as i see it only sends an iterative 
>> query. Also with forward only it send an itérative query.
>> So forward first send an itérative or recursive query?
>>  
>> And how i can send a recursive query with the statement forward ( without 
>> using static-stub)
>> I'm using bind-9.6-ESV-R4
>>  
>> Thanks.
>> Issam HARRATHI.
>> 
>> IMPORTANT.Les informations contenues dans ce message electronique y compris 
>> les fichiers attaches sont strictement confidentielles
>> et peuvent etre protegees par la loi.
>> Ce message electronique est destine exclusivement au(x) destinataire(s) 
>> mentionne(s) ci-dessus.
>> Si vous avez recu ce message par erreur ou s il ne vous est pas destine, 
>> veuillez immediatement le signaler  a l expediteur et effacer ce message 
>> et tous les fichiers eventuellement attaches.
>> Toute lecture, exploitation ou transmission des informations contenues dans 
>> ce message est interdite.
>> Tout message electronique est susceptible d alteration.
>> A ce titre, le Groupe France Telecom decline toute responsabilite notamment 
>> s il a ete altere, deforme ou falsifie.
>> De meme, il appartient au destinataire de s assurer de l absence de tout 
>> virus.
>> 
>> IMPORTANT.This e-mail message and any attachments are strictly confidential 
>> and may be protected by law. This message is
>> intended only for the named recipient(s) above.
>> If you have received this message in error, or are not the named 
>> recipient(s), please immediately notify the sender and delete this e-mail 
>> message.
>> Any unauthorized view, usage or disclosure ofthis message is prohibited.
>> Since e-mail messages may not be reliable, France Telecom Group shall not be 
>> liable for any message if modified, changed or falsified.
>

RE: forward first: iterative or recursive query

2011-05-05 Thread iharrathi.ext

Hi,
i have a server called server1 that is acting as a cache server( recursion 
none). And i forward the zone example.com to server2 which has recursion 
enabled and master on some zone like example.com.
 this is the forwarding zone on server1:
zone "example.com" {
type forward;
forward only;
forwarders { IP_of server2;  };
};
and server2 is master of the zone example.com:

zone "example.com" {
type master;
file "master/db.example.com";
};


BUT the problem is here:
db.example.com:

$ORIGIN example.com.
www   A1.2.3.4
ftp  CNAME  www.abc.com<http://www.abc.com>



server1 can resolve www.example.com<http://www.example.com>, but can't resolve 
ftp.example.com<ftp://ftp.example.com> since the server2 sends the answer which 
is www.abc.com<http://www.abc.com> and not the IP, and my server1 can't make 
recursion to resolve www.abc.com<http://www.abc.com>.

why?
from server1 when i dig on server2: dig @IP-server2 
www.example.com<http://www.example.com> it sends to me the IP, all is OK!!! but 
with a forwarding statement it sends only the CNAME

server1 is bind9.6-ESV-R4  et server2 bind-9.4.2

Thanks.
Issam HARRATHI


De : Chris Buxton [mailto:chris.p.bux...@gmail.com]
Envoyé : mercredi 4 mai 2011 08:49
À : HARRATHI Issam Ext OLNC/DPS
Cc : bind-users@lists.isc.org
Objet : Re: forward first: iterative or recursive query

With a static-stub zone, you would get an iterative query. Forwarding always 
results in a recursive query.

How are you determining that your server is sending an iterative query?

Can we (the list) see your named.conf?

Regards,
Chris Buxton
BlueCat Networks

On May 3, 2011, at 5:21 AM, 
mailto:iharrathi@orange-ftgroup.com>> 
mailto:iharrathi@orange-ftgroup.com>> 
wrote:

Hi
from the book DNS and Bind 5th edition [french] (o'reilly)
I read that the forward with the mode first sends a recursive query to the 
servers on the forwarders list, but as i see it only sends an iterative query. 
Also with forward only it send an itérative query.
So forward first send an itérative or recursive query?

And how i can send a recursive query with the statement forward ( without using 
static-stub)
I'm using bind-9.6-ESV-R4

Thanks.
Issam HARRATHI.


IMPORTANT.Les informations contenues dans ce message electronique y compris les 
fichiers attaches sont strictement confidentielles
et peuvent etre protegees par la loi.
Ce message electronique est destine exclusivement au(x) destinataire(s) 
mentionne(s) ci-dessus.
Si vous avez recu ce message par erreur ou s il ne vous est pas destine, 
veuillez immediatement le signaler  a l expediteur et effacer ce message
et tous les fichiers eventuellement attaches.
Toute lecture, exploitation ou transmission des informations contenues dans ce 
message est interdite.
Tout message electronique est susceptible d alteration.
A ce titre, le Groupe France Telecom decline toute responsabilite notamment s 
il a ete altere, deforme ou falsifie.
De meme, il appartient au destinataire de s assurer de l absence de tout virus.

IMPORTANT.This e-mail message and any attachments are strictly confidential and 
may be protected by law. This message is
intended only for the named recipient(s) above.
If you have received this message in error, or are not the named recipient(s), 
please immediately notify the sender and delete this e-mail message.
Any unauthorized view, usage or disclosure ofthis message is prohibited.
Since e-mail messages may not be reliable, France Telecom Group shall not be 
liable for any message if modified, changed or falsified.
Additionally the recipient should ensure they are actually virus free.



___
bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users



IMPORTANT.Les informations contenues dans ce message electronique y compris les 
fichiers attaches sont strictement confidentielles
et peuvent etre protegees par la loi.
Ce message electronique est destine exclusivement au(x) destinataire(s) 
mentionne(s) ci-dessus.
Si vous avez recu ce message par erreur ou s il ne vous est pas destine, 
veuillez immediatement le signaler  a l expediteur et effacer ce message 
et tous les fichiers eventuellement attaches.
Toute lecture, exploitation ou transmission des informations contenues dans ce 
message est interdite.
Tout message electronique est susceptible d alteration.
A ce titre, le Groupe France Telecom decline toute responsabilite notamment s 
il a ete alt

Re: forward first: iterative or recursive query

2011-05-03 Thread Chris Buxton

With a static-stub zone, you would get an iterative query. Forwarding always 
results in a recursive query.

How are you determining that your server is sending an iterative query?

Can we (the list) see your named.conf?

Regards,
Chris Buxton
BlueCat Networks

On May 3, 2011, at 5:21 AM,  
 wrote:

> Hi
> from the book DNS and Bind 5th edition [french] (o'reilly)
> I read that the forward with the mode first sends a recursive query to the 
> servers on the forwarders list, but as i see it only sends an iterative 
> query. Also with forward only it send an itérative query.
> So forward first send an itérative or recursive query?
>  
> And how i can send a recursive query with the statement forward ( without 
> using static-stub)
> I'm using bind-9.6-ESV-R4
>  
> Thanks.
> Issam HARRATHI.
> 
> IMPORTANT.Les informations contenues dans ce message electronique y compris 
> les fichiers attaches sont strictement confidentielles
> et peuvent etre protegees par la loi.
> Ce message electronique est destine exclusivement au(x) destinataire(s) 
> mentionne(s) ci-dessus.
> Si vous avez recu ce message par erreur ou s il ne vous est pas destine, 
> veuillez immediatement le signaler  a l expediteur et effacer ce message 
> et tous les fichiers eventuellement attaches.
> Toute lecture, exploitation ou transmission des informations contenues dans 
> ce message est interdite.
> Tout message electronique est susceptible d alteration.
> A ce titre, le Groupe France Telecom decline toute responsabilite notamment s 
> il a ete altere, deforme ou falsifie.
> De meme, il appartient au destinataire de s assurer de l absence de tout 
> virus.
> 
> IMPORTANT.This e-mail message and any attachments are strictly confidential 
> and may be protected by law. This message is
> intended only for the named recipient(s) above.
> If you have received this message in error, or are not the named 
> recipient(s), please immediately notify the sender and delete this e-mail 
> message.
> Any unauthorized view, usage or disclosure ofthis message is prohibited.
> Since e-mail messages may not be reliable, France Telecom Group shall not be 
> liable for any message if modified, changed or falsified.
> Additionally the recipient should ensure they are actually virus free.
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward first: iterative or recursive query

Re: forward first: iterative or recursive query

RE: forward first: iterative or recursive query

Re: forward first: iterative or recursive query

RE: forward first: iterative or recursive query

Re: forward first: iterative or recursive query

6 matches

Site Navigation

Mail list logo

Footer information