Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
auth-nxdomain yes
598 views
Skip to first unread message
Gordon Freeman
Nov 15, 2015, 5:17:43 PM11/15/15
to bind-...@lists.isc.org
option: auth-nxdomain
I see the default for this is no, but what exactly are the ramifications of setting this to yes?
I have a tiered architecture for name servers, where down-level servers do forwarding for unknown domains. Will setting auth-nxdomain to yes prevent continual
forwarding of queries of non-existent domain names?
I'm hoping the answer is yes, so that once an NXDOMAIN response is received by the name server, it will not forward repeated queries for that same name, at least for as long as the negative cache TTL. Thanks.
I see the default for this is no, but what exactly are the ramifications of setting this to yes?
I have a tiered architecture for name servers, where down-level servers do forwarding for unknown domains. Will setting auth-nxdomain to yes prevent continual
forwarding of queries of non-existent domain names?
I'm hoping the answer is yes, so that once an NXDOMAIN response is received by the name server, it will not forward repeated queries for that same name, at least for as long as the negative cache TTL. Thanks.
Mark Andrews
Nov 15, 2015, 6:58:03 PM11/15/15
to Gordon Freeman, bind-...@isc.org
In message <756753830.5253999.14476...@mail.yahoo.com>, Gor
don Freeman writes:
> option: auth-nxdomain
>
> I see the default for this is no, but what exactly are the ramifications
> of setting this to yes?
RFC 1034 or RFC 1035 stated that NXDOMAIN will always be authoritative
> option: auth-nxdomain
>
> I see the default for this is no, but what exactly are the ramifications
> of setting this to yes?
(can't remember which). Setting this to yes allows clients that
look for the "aa" bit on NXDOMAIN to accept the answer. Modern
nameservers set the "aa" bit to reflect if this a authoritative
answer (aa=1) or a cached answer (aa=0). This really hasn't been
a issues in decades.
> I have a tiered architecture for name servers, where down-level servers
> do forwarding for unknown domains. Will setting auth-nxdomain to yes
> prevent continual forwarding of queries of non-existent domain names?
>
> I'm hoping the answer is yes, so that once an NXDOMAIN response is
> received by the name server, it will not forward repeated queries for
> that same name, at least for as long as the negative cache TTL. Thanks.
provide a cachable negative answer.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Gordon Freeman
Nov 16, 2015, 12:25:45 AM11/16/15
to Gordon Freeman, Mark Andrews, bind-...@isc.org
>> I'm hoping the answer is yes, so that once an NXDOMAIN response is
>> received by the name server, it will not forward repeated queries for
>> that same name, at least for as long as the negative cache TTL.
>
>> received by the name server, it will not forward repeated queries for
>> that same name, at least for as long as the negative cache TTL.
>
> Named does that by default. Not all authoritative sources however
> provide a cachable negative answer.
But that's not what I'm seeing. If a client sends 100 queries for a non-existent name to its nearest name server, all of them are forwarded on up. What I want is for the name server to cache those NXDOMAIN answers so even if a client is slamming my DNS, my server is not in turn hammering those name servers upstream.
> provide a cachable negative answer.
Mark Andrews
Nov 16, 2015, 12:39:11 AM11/16/15
to Gordon Freeman, bind-...@isc.org
In message <1927990884.5538420.1447...@mail.yahoo.com>, Go
answer stream because named both consolidates multiple queries and
caches negative answers.
Mark
0 new messages