Re: DNS Terminology

[Lindsay Haisley]

On Sat, 2016-09-24 at 00:15 -0500, Dave Funk wrote:
> On Fri, 23 Sep 2016, Lindsay Haisley wrote:
> 
> > 
> > On Fri, 2016-09-23 at 19:03 -0400, listsb-spamassas...@bitrate.net
> > wrote:
> > > 
> > > consider that, to do the work described as "forwarding" in many of
> > > these references, the nameserver must perform a recursive query [e.g.
> > > it must perform a query with the rd bit set].
> > "A forwarding DNS server offers the same advantage of maintaining a
> > cache to improve DNS resolution times for clients. However, it actually
> > does none of the recursive querying itself. Instead, it forwards all
> > requests to an outside resolving server and then caches the results to
> > use for later queries."
> > 
> > What am I missing?
> > 
> > Justin Ellingwood, who wrote the DigitalOcean piece, is a very
> > experienced documenter. From his rather impressive resume, I'd be
> > inclined to trust what he posts.
> This is the difference between asking a question (formulating a query 
> potentially with the "want recursion" bit set) and then doing the work of 
> chasing down all the different stake-holders necessary to answer the 
> question (performing the recursive query)
> VS handing the query off to a 3'rd party and letting them do the dirty 
> work (forwarding)

Exactly!

I apologize for double posting, and for missing responses to my posts.
I'm busy, and only got onto this list to inquire about blocking a
particular kind of spam with which I've been having a problem. I
shouldn't have gotten involved in a discussion on name servers. 

I'm outa here :)

Ciao

-- 
Lindsay Haisley   | "It is better to bite a single
FMP Computer Services |cannibal than to curse the doggies"
512-259-1190  |
http://www.fmp.com|-- John Day

Re: DNS Terminology

[Dave Funk]

On Fri, 23 Sep 2016, Lindsay Haisley wrote:


On Fri, 2016-09-23 at 19:03 -0400, listsb-spamassas...@bitrate.net
wrote:

consider that, to do the work described as "forwarding" in many of
these references, the nameserver must perform a recursive query [e.g.
it must perform a query with the rd bit set].


"A forwarding DNS server offers the same advantage of maintaining a
cache to improve DNS resolution times for clients. However, it actually
does none of the recursive querying itself. Instead, it forwards all
requests to an outside resolving server and then caches the results to
use for later queries."

What am I missing?

Justin Ellingwood, who wrote the DigitalOcean piece, is a very
experienced documenter. From his rather impressive resume, I'd be
inclined to trust what he posts.


This is the difference between asking a question (formulating a query 
potentially with the "want recursion" bit set) and then doing the work of 
chasing down all the different stake-holders necessary to answer the 
question (performing the recursive query)
VS handing the query off to a 3'rd party and letting them do the dirty 
work (forwarding)


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: DNS Terminology

[Lindsay Haisley]

On Fri, 2016-09-23 at 19:03 -0400, listsb-spamassas...@bitrate.net
wrote:
> consider that, to do the work described as "forwarding" in many of
> these references, the nameserver must perform a recursive query [e.g.
> it must perform a query with the rd bit set].

"A forwarding DNS server offers the same advantage of maintaining a
cache to improve DNS resolution times for clients. However, it actually
does none of the recursive querying itself. Instead, it forwards all
requests to an outside resolving server and then caches the results to
use for later queries."

What am I missing?

Justin Ellingwood, who wrote the DigitalOcean piece, is a very
experienced documenter. From his rather impressive resume, I'd be
inclined to trust what he posts.

-- 
Lindsay Haisley   |"Friends are like potatoes.
FMP Computer Services |If you eat them, they die"
512-259-1190  |
http://www.fmp.com|  - Aaron Edmund

Re: DNS Terminology

[Lindsay Haisley]

On Fri, 2016-09-23 at 17:10 -0400, btb wrote:
> > http://serverfault.com/questions/661821/what-s-the-difference-betwe
> en-recursion-and-forwarding-in-bind
> 
> this is bad information.  it's unfortunate it has a green check mark 
> next to it.  at least it only has a 6 though.

So why is this bad informaton?

-- 
Lindsay Haisley   |  "The voice of dissent was arrested before
FMP Computer Services | the president cleared his throat to
512-259-1190  |speak of freedom"
http://www.fmp.com|
  |-- Chris Chandler

Re: DNS Terminology

[listsb-spamassassin]

> On Sep 23, 2016, at 17.34, Lindsay Haisley  wrote:
> 
> On Fri, 2016-09-23 at 17:10 -0400, btb wrote:
>> On 2016.09.23 16.16, Lindsay Haisley wrote:
>>> 
>>> On Fri, 2016-09-23 at 18:43 +0100, RW wrote:
 
 Right, but the question here is why isn't a forwarding server also a
 recursive server? Why is the use of iteration the defining feature of
 a recursive server and not the support for recursion.
>>> http://serverfault.com/questions/661821/what-s-the-difference-between-recursion-and-forwarding-in-bind
>> this is bad information.  it's unfortunate it has a green check mark 
>> next to it.  at least it only has a 6 though.
> 
> What do you think is bad about it? I've been working with DNS for 20
> years and this is about as straightforward an explanation of the
> difference as I can think of, and jibes with my understanding. Am I
> misinformed?

it suffers from the same deficiencies highlighted in my earlier message.  
namely, conflating the services provided with the work done in order to provide 
those services.

> 
> says pretty much the same thing. Is this also bad information?

yes.  

> Or how about
> ?
> 
> What this article defines as a "caching" name server is rather the same
> as a recursive server, but the definition of a forwarding server is the
> same - basically a proxy server.

this page is perhaps a bit better, but still suffers from terminology 
conflation.

consider that, to do the work described as "forwarding" in many of these 
references, the nameserver must perform a recursive query [e.g. it must perform 
a query with the rd bit set].

on the digital ocean page, it's stated "This configuration will force the 
server to recursively seek answers from other DNS servers when a client issues 
a query".  this is incorrect.  the configuration described will result in 
[there's no forcing here :) ] the server performing *iterative* queries.  that 
is, working through the dns hierarchy, following delegations [often called 
"referrals"] as necessary, in order to find the answer.  these queries do not 
have the rd bit set, and as such, are not recursive queries.

the techexams page suffers from this same misconception.  recursion occurs if 
the client sends a "recursion desired" query [rd bit set], and the server 
answers with a "recursion allowed" response [ra bit set].  at that point, 
recursion has now occurred, regardless of what the server might have done 
behind the scenes [it might be a client too!]  what the poster on that page 
described as recursion occurring, is, in fact, iteration occurring.

a reference to the bind config exemplified on the digital ocean page might help 
as well.  the "recursion" setting controls whether or not recursion is allowed 
[e.g. whether or not recursive service is offered/provided to clients querying 
the server].  it does not control whether or not the nameserver performs 
recursion in order to provide the answer.  further emphasis of this can be 
found in the accompanying "allow-recursion" and "allow-recursion-on" settings, 
which further fine tune this behavior.

in any case, hopefully this discussion has run its course here.  it's an 
interesting topic, and one worth exploring for the sake of those in search of 
accuracy, but would be a better fit for a mailing list like oarc's 
dns-operations or such.

Re: DNS Terminology

[Lindsay Haisley]

On Fri, 2016-09-23 at 17:10 -0400, btb wrote:
> On 2016.09.23 16.16, Lindsay Haisley wrote:
> > 
> > On Fri, 2016-09-23 at 18:43 +0100, RW wrote:
> > > 
> > > Right, but the question here is why isn't a forwarding server also a
> > > recursive server? Why is the use of iteration the defining feature of
> > > a recursive server and not the support for recursion.
> > http://serverfault.com/questions/661821/what-s-the-difference-between-recursion-and-forwarding-in-bind
> this is bad information.  it's unfortunate it has a green check mark 
> next to it.  at least it only has a 6 though.

What do you think is bad about it? I've been working with DNS for 20
years and this is about as straightforward an explanation of the
difference as I can think of, and jibes with my understanding. Am I
misinformed?


says pretty much the same thing. Is this also bad information?

Or how about
?

What this article defines as a "caching" name server is rather the same
as a recursive server, but the definition of a forwarding server is the
same - basically a proxy server.

Programmers don't like the use of the term "recursion" when applied to
a name server, but the word has a general meaning that can be applied
in a lot of contexts, some of them in a variety of IT fields.

-- 
Lindsay Haisley   | "We have met the enemy and he is us."
FMP Computer Services |
512-259-1190  |  -- Pogo
http://www.fmp.com|

Re: DNS Terminology

[btb]

On 2016.09.23 16.16, Lindsay Haisley wrote:

On Fri, 2016-09-23 at 18:43 +0100, RW wrote:

Right, but the question here is why isn't a forwarding server also a
recursive server? Why is the use of iteration the defining feature of
a recursive server and not the support for recursion.


http://serverfault.com/questions/661821/what-s-the-difference-between-recursion-and-forwarding-in-bind


this is bad information.  it's unfortunate it has a green check mark 
next to it.  at least it only has a 6 though.

Re: DNS Terminology

[Lindsay Haisley]

On Fri, 2016-09-23 at 18:43 +0100, RW wrote:
> Right, but the question here is why isn't a forwarding server also a
> recursive server? Why is the use of iteration the defining feature of
> a recursive server and not the support for recursion.

http://serverfault.com/questions/661821/what-s-the-difference-between-recursion-and-forwarding-in-bind

-- 
Lindsay Haisley   | "The difference between a duck is because
FMP Computer Services |one leg is both the same"
512-259-1190  | - Anonymous
http://www.fmp.com|

Re: DNS Terminology

[Greg Troxel]

Lindsay Haisley  writes:

> Huh? So what's the problem with "recursion"? That's the name of the
> boolean configuration option in bind9. It's about as descriptive and
> clear a word as it can be.
>
> options {
> directory "/var/cache/bind";
> recursion yes;
> allow-query { goodclients; };
>         etc 
>
> };

I'm not sure how to parse your question, so this may not be useful to
you but it seems there is a lot of confusion.

To answer others: iteration and recursion describe implementation
techniques for programs, and are used for DNS in slightly fuzzy ways.
If a resolver iterates (in a loop, without function calls) from root
down to the others, that's not implemented with recursion (tail
recursion aside).  But the edge of when iteration vs recursion is the
right word is not the point.

In DNS, when sending a query, there is a "recursion desired" bit, and
replies have a "recursion available" bit.  Running "dig apache.org", I
get the following.  You can see the rd and ra flag bits set.  The query
went to ::1 (localhost in IPv6), and the final answer was returned.  The
nameserver running on the local machine did what is called recursive
processing, asking the root for org, and then asking org for apache.org,
and then asking apache.org for an A record (except some of this may have
been cached).  My nameserver is configured without any "forwarder"
lines, so it asks each of these places directly.  Note that you cannot
figure out from the dig output whether the server did
recursion/iteration from the root or forwarded the query to someplace
that did.

With a forwarder, my resolver would have sent the original query
someplace else, with the "rd" bit set, and that other place would have
done the multiple lookups, and returned a reply, which my server would
then have returned.

The "recursion yes" in bind instructs the local server that it is
permitted to accept queries for which it doesn't have the answer and do
the iterative lookup.  Generally one sets that not in general, but in an
ACL limited to one's own machines.

If a forwarder is not configured (again, should be ACLed to own
machines) and recursion is not enabled, then trying to do a recursive
query results in a refusal.  (This is a a bit messy to configure when a
resolver should do recursive processing for local hosts and be
authoritative for some zone all at the same time.)

As others have said, the big point is that if queries to BLs are
forwarded to some server that also does lookups for other people, that
risks exceeding per-IP-address limits.


; <<>> DiG 9.10.3-P4 <<>> apache.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24737
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 10

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;apache.org.IN  A

;; ANSWER SECTION:
apache.org. 1800IN  A   140.211.11.105
apache.org. 1800IN  A   88.198.26.2

;; AUTHORITY SECTION:
apache.org. 75135   IN  NS  ns1.no-ip.com.
apache.org. 75135   IN  NS  ns2.no-ip.com.
apache.org. 75135   IN  NS  ns4.no-ip.com.
apache.org. 75135   IN  NS  ns2.surfnet.nl.
apache.org. 75135   IN  NS  ns3.no-ip.com.

;; ADDITIONAL SECTION:
ns4.no-ip.com.  158234  IN  A   204.16.254.44
ns1.no-ip.com.  158234  IN  A   204.16.255.55
ns1.no-ip.com.  158234  IN  2620:0:2e60::33
ns2.no-ip.com.  158234  IN  A   204.16.254.6
ns2.no-ip.com.  158234  IN  2001:1838:f000::6
ns2.surfnet.nl. 322 IN  A   192.87.36.2
ns2.surfnet.nl. 322 IN  2001:610:3:200a:192:87:36:2
ns3.no-ip.com.  158234  IN  A   207.34.6.1
ns3.no-ip.com.  158234  IN  2620:171:802:752d::1

;; Query time: 14 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Sep 23 16:06:03 EDT 2016
;; MSG SIZE  rcvd: 372


signature.asc
Description: PGP signature

Re: DNS Terminology

[Lindsay Haisley]

On Fri, 2016-09-23 at 21:25 +0200, Axb wrote:
> On 09/23/2016 09:11 PM, RW wrote:
> > 
> > Whatever the right and wrongs of this I think the term recursive is
> > best avoided in this list. "Non-forwarding" is a lot clearer IMO.
> Can we agree to:
> "servers running SA should use a local non forwarding resolver".
> 
> That should rule out dnsmasq.

Huh? So what's the problem with "recursion"? That's the name of the
boolean configuration option in bind9. It's about as descriptive and
clear a word as it can be.

options {
directory "/var/cache/bind";
recursion yes;
allow-query { goodclients; };
        etc 

};
-- 
Lindsay Haisley   | "Never expect the people who caused a problem
FMP Computer Services |  to solve it." - Albert Einstein
512-259-1190  |
http://www.fmp.com|

Re: DNS Terminology

[Axb]

On 09/23/2016 09:11 PM, RW wrote:

Whatever the right and wrongs of this I think the term recursive is
best avoided in this list. "Non-forwarding" is a lot clearer IMO.


Can we agree to:
"servers running SA should use a local non forwarding resolver".

That should rule out dnsmasq.

Re: DNS Terminology

[RW]

On Fri, 23 Sep 2016 14:12:30 -0400
Bill Cole wrote:


> I have never seen the word "iterative" used to describe DNS recursion
> or any other DNS resolution algorithm except in the context of a
> resolver having multiple servers that it can query at a particular
> step of the resolution process 

It's used that way in RFC1034 and practically every article on the
internet about DNS. I'm guessing that probably RFC1034 used
non-standard terminology and everyone else picked-up on that.

Whatever the right and wrongs of this I think the term recursive is
best avoided in this list. "Non-forwarding" is a lot clearer IMO.

Re: DNS Terminology

[Dianne Skoll]

Huh, why are people getting hung up on this?

The distinction is based on who the DNS server will consult to provide
a response to a question.

An authoritative server consults its local authoritative zone
database.  It may or may not be willing to consult someone else for
questions not in its database; as someone else posted, most
Internet-facing authoritative servers refuse to provide answers for
zones not in their local authoritative database.

A recursive server is willing to consult other servers to provide an
answer.  If the answer is not in its local database (or indeed if it
has no local authoritative database), then it's willing to query other
name servers to chase down the answers.

A forwarding server is a special case of recursive server:  It's willing
to ask another server for the answer, but in the case of forward-only
servers, it's only willing to ask a predefined server or servers for the
answer and not go chasing it wherever the DNS leads.  In the case of a
forward-first server, it first tries its predefined server(s) and then
becomes willing to chase it wherever the DNS leads.

A given server may be any combination of authoritative, recursive and
forwarding depending on the zone.

Regardsm

Dianne.

Re: DNS Terminology

[John Hardin]

On Fri, 23 Sep 2016, RW wrote:


On Fri, 23 Sep 2016 16:57:54 +
Shawn Bakhtiar wrote:


Recursive server does lookups iteratively.


Right, but the question here is why isn't a forwarding server also a
recursive server?


It may or may not be, see "forward first". I DNS server may do both.


Why is the use of iteration the defining feature of
a recursive server and not the support for recursion.


Think "actual behavior", not "capability".


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  One death is a tragedy; thirty is a media sensation;
  a million is a statistic.  -- Joseph Stalin, modernized
---
 276 days since the first successful real return to launch site (SpaceX)

Re: DNS Terminology

[John Hardin]

On Fri, 23 Sep 2016, RW wrote:


On Thu, 22 Sep 2016 20:24:21 -0700 (PDT)
John Hardin wrote:



Lists shouldn't have said "caching", that confuses the issue. Caching
and recursion are two different, unrelated pieces.

Focus on the "recursion" and "no forwarding" parts of that
recommendation.


I've been wondering whether recursive is actually the correct term.

As I understand it there are two types of DNS lookup:

 1. Iterative - where results are found by working down through
 multiple servers from the root servers.


"Recursive" is the way I have always heard that described.


 2. Recursive - where a request is made to a single nameserver which
 handles the whole look-up on behalf of a client.


"Forwarding" is the way I have always heard that described.


What this turns on is whether a forwarding server is a distinct
class of of nameserver or a type of recursive server. I think the
latter is most logical, since both provide a recursive interface.
Definitions of the term "recursive server" that I've seen  contrast it
only with "authoritative server".

One thing is certain, what you want is a name server that does
*iterative* lookups.


I think the clearest way to state it is "must not forward" as 
lists did.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  One death is a tragedy; thirty is a media sensation;
  a million is a statistic.  -- Joseph Stalin, modernized
---
 276 days since the first successful real return to launch site (SpaceX)

Re: DNS Terminology

[btb]

On 2016.09.23 12.03, RW wrote:

On Thu, 22 Sep 2016 20:24:21 -0700 (PDT)
John Hardin wrote:



Lists shouldn't have said "caching", that confuses the issue. Caching
and recursion are two different, unrelated pieces.

Focus on the "recursion" and "no forwarding" parts of that
recommendation.


I've been wondering whether recursive is actually the correct term.

As I understand it there are two types of DNS lookup:

  1. Iterative - where results are found by working down through
  multiple servers from the root servers.

  2. Recursive - where a request is made to a single nameserver which
  handles the whole look-up on behalf of a client.

What this turns on is whether a forwarding server is a distinct
class of of nameserver or a type of recursive server. I think the
latter is most logical, since both provide a recursive interface.
Definitions of the term "recursive server" that I've seen  contrast it
only with "authoritative server".

One thing is certain, what you want is a name server that does
*iterative* lookups.



it might help to remember that, in terms of dns, recursion refers to 
something very specific [the rd flag, or bit, is set in a query - or the 
ra flag is set in a response - see rfc 1035].  it's not an ambiguous 
colloquialism, and isn't subject to vernacular interpretation as would 
be the dictionary definition.


often this comes down to multiple aspects of confusion, in conjunction 
with one another.  not understanding well the difference between 
authoritative and caching [sometimes called "recursive"] nameservers, 
not understanding well the different between iterative and recursive 
queries, and typically most often, not understanding the difference 
between the queries a nameserver accepts and the queries it performs. 
lastly, nameservers can be configured in such a way that they are 
providing both authoritative and caching service, which can introduce 
additional confusion to inexperienced folks.


generally, caching nameservers accept recursive queries, and perform 
iterative queries in order to provide the answer.  however, it's 
possible that a caching nameserver could also perform a recursive query 
to get the answer [think "forwarders"], had the admin configured it to 
do so.  this type of config is generally discouraged [for of the reasons 
covered regularly on this list, of course].


in terms of caching nameservers being referred to as recursive 
nameservers, this means that the server *accepts* recursive queries.  it 
does not necessarily mean that the server *performs* recursive queries 
[although as mentioned above, it may].

Re: DNS Terminology

[Bill Cole]

On 23 Sep 2016, at 13:43, RW wrote:


On Fri, 23 Sep 2016 16:57:54 +
Shawn Bakhtiar wrote:


Recursive server does lookups iteratively.


Right, but the question here is why isn't a forwarding server also a
recursive server?


Because a forward-only DNS server does not resolve queries by way of a 
recursive algorithm.



Why is the use of iteration the defining feature of
a recursive server and not the support for recursion.


Because words have meaning?

The stub resolver in a Windows 95/WinSock PC iterates a name query down 
its list of DNS (and maybe WINS) nameservers until something answers it 
with an IP. If it receives referral NS records, it ignores them and 
continues to *ITERATE* the query against its fixed list of servers, 
possibly even asking each one repeatedly (ITERATING) despite receiving 
referral NS answers with which a standard recursive resolver would 
RECURSE the query against the newly-discovered servers.

Re: DNS Terminology

[li...@rhsoft.net]

Am 23.09.2016 um 19:57 schrieb RW:

On Fri, 23 Sep 2016 13:13:19 -0400
Sean Greenslade wrote:


On Fri, Sep 23, 2016 at 05:03:00PM +0100, RW wrote:

I've been wondering whether recursive is actually the correct term.

As I understand it there are two types of DNS lookup:

  1. Iterative - where results are found by working down through
  multiple servers from the root servers.

  2. Recursive - where a request is made to a single nameserver
which handles the whole look-up on behalf of a client.

What this turns on is whether a forwarding server is a distinct
class of of nameserver or a type of recursive server. I think the
latter is most logical, since both provide a recursive interface.
Definitions of the term "recursive server" that I've seen  contrast
it only with "authoritative server".

One thing is certain, what you want is a name server that does
*iterative* lookups.


A forwarding server is a recursive server. The two are more or less
synonymous. Both iterative and recursive servers may or may not cache
their results to speed up future queries for the same information.


A nameserver that does iteration is definitely a recursive server. To
say that "recursive server" and "forwarding server" are more or less
synonymous is wrong


well, that whole stuff is discussed way too complex here

your nameserver can do recursion, be authoritative for own zones and 
forwarder for specific zones at the same time - the only relevant point 
is that it don't forward DNSBL/DNSWL/URIBL relevant questions to a 
shared nameserver outside your network - that's it


in context of a inbound mailserver (for anything you don't host on your 
machines) it's just as simple as:


* if your DNS is aksing another DNS you defined you are doing it wrong
* if your DNS configuration contains another dns server it's  wrong
* if your DNS server like dnsmasq looks in /etc/resolv.conf it's crap

the one and only ecxeption are large networks where you have a central 
caching server doing recursion and on the other nodes you have this 
machine as forwarder, but if you are in such an environment you 
hopefully understand dns basics anyways

Re: DNS Terminology

[Bill Cole]

On 23 Sep 2016, at 12:03, RW wrote:


On Thu, 22 Sep 2016 20:24:21 -0700 (PDT)
John Hardin wrote:


Lists shouldn't have said "caching", that confuses the issue. Caching
and recursion are two different, unrelated pieces.

Focus on the "recursion" and "no forwarding" parts of that
recommendation.


I've been wondering whether recursive is actually the correct term.


It is.

Please forgive any excess verbosity and/or didactic tone used below, 
it's not that I believe that you need all the explication, but you're 
not the least-knowledgeable reader of this list by a wide margin...



As I understand it there are two types of DNS lookup:

  1. Iterative - where results are found by working down through
  multiple servers from the root servers.


That is the behavior traditionally called "recursion." The resolver asks 
a question of a root server and recursively asks the same question of 
one or more up-tree servers to which it is referred by down-tree servers 
(from the root up.) This is "recursive" because it feeds the result of a 
query (a glue NS record) into a retry of the same query directed to the 
host identified in that prior result. In some resolver implementations 
the actual code logic for this is formally recursive, in that a function 
calls itself with new arguments until it finally gets a proper final 
answer to the query.


Historically, some particularly lame operating systems have had "stub" 
DNS resolvers that know only how to ask one or more DNS servers for 
resolution, and not how to do recursion on their own. As a result, those 
systems have needed access to a DNS server that would do the recursion 
for them and provide a final result, not a referral. Actual DNS servers 
can be made to behave like lame stubs (usually selectively) and 
"forward" some or all queries to fully recursive resolvers on behalf of 
end-clients with truly incapable resolvers.


I have never seen the word "iterative" used to describe DNS recursion or 
any other DNS resolution algorithm except in the context of a resolver 
having multiple servers that it can query at a particular step of the 
resolution process (i.e. multiple servers in /etc/resolv.conf or 
multiple NS referral records being returned by a root or intermediate 
nameserver.) It would also fit federated resolution models that can be 
set up in some systems via a "name service switch" mechanism (i.e. 
/etc/nsswitch.conf) which can use multiple name->address resolution 
mechanisms other than DNS such as NIS, static files, NetInfo, etc.



  2. Recursive - where a request is made to a single nameserver which
  handles the whole look-up on behalf of a client.


In that case the client resolver is NOT being recursive, the nameserver 
is being either recursive or is forwarding.



What this turns on is whether a forwarding server is a distinct
class of of nameserver or a type of recursive server. I think the
latter is most logical, since both provide a recursive interface.


I disagree, and have never seen that model/nomenclature for forwarding 
servers used before.


A forwarding-only server is never recursive. It doesn't use a non-final 
response to a query as a parameter to retry the same query with a 
different server. Many servers that do forwarding ALSO do recursion, 
either tactically to check another server's cache before doing the 
slower work of recursion or strategically to resolve names that don't 
have the a locally correct resolution connected to the global roots 
(e.g. *.10.in-addr.arpa.)



Definitions of the term "recursive server" that I've seen  contrast it
only with "authoritative server".


The dichotomy between "authoritative" and "recursive" servers is not 
really correct and is almost orthogonal to the forwarding vs. recursion 
behavior. Authoritative-only servers only answer queries about the zones 
for which they are configured to be authoritative. Servers that provide 
full resolution service to non-recursive client resolvers may be 
recursive or forwarding or a mix of both, but forwarding isn't recursion 
and recursion isn't forwarding, all they have in common is that they 
both are strategies for finding final DNS answers for queries for which 
the server is not authoritative.



One thing is certain, what you want is a name server that does
*iterative* lookups.


In your terms, yes, generally. For a mail server using DNSBLs of any 
sort:


You want a nameserver that provides final answers to all queries from 
your mail server, not referrals, because even recursion-capable OS stub 
resolvers have limited and often problematic caching and recursion takes 
time.


You want a nameserver that has a substantial and intelligently managed 
name cache which adheres to DNS standards (i.e. honor TTLs) so that 
recursion latency and stale records can both be avoided to the extent 
possible.


You want a nameserver that never forwards queries to public-access 
nameservers, particularly for DNSBLs because those servers are often 
blocked but 

Re: DNS Terminology

[RW]

On Fri, 23 Sep 2016 13:13:19 -0400
Sean Greenslade wrote:

> On Fri, Sep 23, 2016 at 05:03:00PM +0100, RW wrote:
> > I've been wondering whether recursive is actually the correct term.
> > 
> > As I understand it there are two types of DNS lookup:
> > 
> >   1. Iterative - where results are found by working down through
> >   multiple servers from the root servers.
> > 
> >   2. Recursive - where a request is made to a single nameserver
> > which handles the whole look-up on behalf of a client.
> > 
> > What this turns on is whether a forwarding server is a distinct
> > class of of nameserver or a type of recursive server. I think the
> > latter is most logical, since both provide a recursive interface.
> > Definitions of the term "recursive server" that I've seen  contrast
> > it only with "authoritative server".
> > 
> > One thing is certain, what you want is a name server that does
> > *iterative* lookups.  
> 
> A forwarding server is a recursive server. The two are more or less
> synonymous. Both iterative and recursive servers may or may not cache
> their results to speed up future queries for the same information.

A nameserver that does iteration is definitely a recursive server. To
say that "recursive server" and "forwarding server" are more or less
synonymous is wrong.

Re: DNS Terminology

[RW]

On Fri, 23 Sep 2016 16:57:54 +
Shawn Bakhtiar wrote:


> Recursive server does lookups iteratively.

Right, but the question here is why isn't a forwarding server also a
recursive server? Why is the use of iteration the defining feature of
a recursive server and not the support for recursion.  

BTW please either use proper quoting or trim the text and quote it
manually. You created a complete mess with your previous post. 

Re: DNS Terminology

[Sean Greenslade]

On Fri, Sep 23, 2016 at 05:03:00PM +0100, RW wrote:
> I've been wondering whether recursive is actually the correct term.
> 
> As I understand it there are two types of DNS lookup:
> 
>   1. Iterative - where results are found by working down through
>   multiple servers from the root servers.
> 
>   2. Recursive - where a request is made to a single nameserver which
>   handles the whole look-up on behalf of a client.
> 
> What this turns on is whether a forwarding server is a distinct
> class of of nameserver or a type of recursive server. I think the
> latter is most logical, since both provide a recursive interface.
> Definitions of the term "recursive server" that I've seen  contrast it
> only with "authoritative server".
> 
> One thing is certain, what you want is a name server that does
> *iterative* lookups.

A forwarding server is a recursive server. The two are more or less
synonymous. Both iterative and recursive servers may or may not cache
their results to speed up future queries for the same information.

Authoritative servers are the original source of the record data for one
or more sections of the DNS hierarchy. If they receive a request for a
record they hold authority over, they return it directly. If they
receive a request for a record they _don't_ hold authority, then it
depends on how the server is configured. It could recurse, it could
iterate, or it could reject the query. Most internet-facing authoriative
servers reject queries for parts of the domain hierarchy they don't hold
authority over.

--Sean

Re: DNS Terminology

[Shawn Bakhtiar]

A forwarding name server simply forwards (proxies) the query to an upstream 
recursive server.


On Sep 23, 2016, at 9:03 AM, RW 
> wrote:

On Thu, 22 Sep 2016 20:24:21 -0700 (PDT)
John Hardin wrote:


Lists shouldn't have said "caching", that confuses the issue. Caching
and recursion are two different, unrelated pieces.

Focus on the "recursion" and "no forwarding" parts of that
recommendation.

I've been wondering whether recursive is actually the correct term.

As I understand it there are two types of DNS lookup:

 1. Iterative - where results are found by working down through
 multiple servers from the root servers.

 2. Recursive - where a request is made to a single nameserver which
 handles the whole look-up on behalf of a client.

What this turns on is whether a forwarding server is a distinct
class of of nameserver or a type of recursive server. I think the
latter is most logical, since both provide a recursive interface.
Definitions of the term "recursive server" that I've seen  contrast it
only with "authoritative server".

One thing is certain, what you want is a name server that does
*iterative* lookups.

A forwarding server is best used when a firewall does not allow direct access 
for DNS queries on the egress side (outbound). A forwarding server can be setup 
on the inside to point to a recessive server on the outside (or DMZ) and act as 
a proxy for internal hosts. A recursive server needs to be able to communicate 
unhindered to the world so it can follow the TLD chain down to the 
authoritative host responsible for a given subdomain.

Recursive server does lookups iteratively.
1) get root hints from file and find "." (one of the many) (this dot is implied 
at the end of every domain i.e. www.example.com. <-- we 
simply never really type the last dot)
2) ask root server where to look for COM
3) ask .COM where to look for EXAMPLE
4) Ask .EXAMPLE.COM where to look for WWW

A forwarding server simply forwards a (usually recursive) request to the next 
available upstream server, with some option to re-direct based on query (but 
that starts getting into multi views which is irrelevant here), and the 
recursive server simply sees the forwarding server as a client. It may be 
required based on firewall configuration (paranoid security specialist may not 
want to allow recursion from just any host on their network).

In regards to the OP and RBL lookups, it makes no difference whether there is a 
forwarding DNS in between the client (the spam blocking MTA) and the/a 
recursive DNS server, but in order for the RBL to work it will have to somehow 
get to a recursive DNS that can find and query the RBL, and that can be 
"proxied" by a forwarding server.

However what will NOT work is asking an authoritative DNS server. Authoritative 
DNS servers strictly provide information for a given sub domain, and *SHOULD* 
not allow recursion (lest you want to participate in DNS 
reflection/amplification DDoS attacks, since authoritative servers must respond 
to queries from the world - any ip address that may ask).

A few simple drill/dig/nslookups would easily provide all the information 
necessary as to how the DNS pathway is setup.

Here is what a drill -T for www.example.com looks 
like... notice the iterative recursion from com. all the way down to the host:

drill -T www.example.com
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
example.com. 172800 IN NS 
a.iana-servers.net.
example.com. 172800 IN NS 
b.iana-servers.net.
www.example.com. 86400 IN A 93.184.216.34
example.com. 86400 IN NS 
a.iana-servers.net.
example.com. 86400 IN NS 
b.iana-servers.net.


And here is the same query using dig on my SPAM firewall for a known IP listed 
on zen.spamhause.org again notice the recursion 
starting at root (.) .

dig 

DNS Terminology

[RW]

On Thu, 22 Sep 2016 20:24:21 -0700 (PDT)
John Hardin wrote:


> Lists shouldn't have said "caching", that confuses the issue. Caching
> and recursion are two different, unrelated pieces.
> 
> Focus on the "recursion" and "no forwarding" parts of that
> recommendation.

I've been wondering whether recursive is actually the correct term.

As I understand it there are two types of DNS lookup:

  1. Iterative - where results are found by working down through
  multiple servers from the root servers.

  2. Recursive - where a request is made to a single nameserver which
  handles the whole look-up on behalf of a client.

What this turns on is whether a forwarding server is a distinct
class of of nameserver or a type of recursive server. I think the
latter is most logical, since both provide a recursive interface.
Definitions of the term "recursive server" that I've seen  contrast it
only with "authoritative server".

One thing is certain, what you want is a name server that does
*iterative* lookups.