Using BIND - was Re: [ntp:questions] Re: How long do I havetowaitfor sync?
david at djwhome.demon.co.uk
Sat Jun 4 08:50:19 UTC 2005
In article <_y2oe.44801$G8.27844 at text.news.blueyonder.co.uk>,
"David J Taylor <david-taylor at blueyonder.co.not-this-bit.nor-this-part.uk>"
(forged - not yet allocated second level domain) wrote:
> servers. The question is: can I define multiple upstream servers (like in
> NTP) for reliability? [It has nothing to do with forwarders - I think].
You are getting confused because you are talking in low end workstation
terminology about software that is enterprise capable. Modern work
station PCs are perfectly capable of running the full software, but
commercial vendors don't supply it because they want to make a marketing
and price distinction between workstations and servers (this is only
strictly true of Windows and (non-OS/X?) Macs).
In the preferred configuration of BIND, when it is started, it uses
a preconfigured list of possible nameservers for the root domain.
These are the servers that contain the official (authorative) entries
for .net, .com, .edu, .uk, etc. From one of these it asks for the NS
(nameservers) record for the root domain. That provides it with an
updated list of the root nameservers, providing that at least one of the
original list is still valid (or you have a valid forwarder, see below).
If you then request my domain name, it tries the root nameservers until
it finds one that works, and returns a list of nameservers (there are 9
of these, all with the same data) for the .uk domain, and an indication
to try those.
;; AUTHORITY SECTION:
uk. 172800 IN NS NS1.NIC.uk.
uk. 172800 IN NS NS2.NIC.uk.
;; ADDITIONAL SECTION:
NS1.NIC.uk. 172800 IN A 184.108.40.206
NS2.NIC.uk. 172800 IN A 220.127.116.11
It then remembers those addresses, until they expire, so that the next
time you ask for a .uk domain, it doesn't bother a root nameserver.
It next asks one of the .uk nameservers, which will give it a list of
nameservers for demon.co.uk (the same nameserver is authorative for
both uk and co.uk, so one can skip the .co.uk step).
;; AUTHORITY SECTION:
demon.co.uk. 172800 IN NS ns0.demon.co.uk.
demon.co.uk. 172800 IN NS ns1.demon.co.uk.
demon.co.uk. 172800 IN NS ns2.demon.net.
;; ADDITIONAL SECTION:
ns0.demon.co.uk. 172800 IN A 18.104.22.168
ns1.demon.co.uk. 172800 IN A 22.214.171.124
It now knows where to go for first hand information for demon.co.uk for
the next two days (172800 seconds). It is building up its own network
of upstream nameservers, each with multiple alternatives and each having
current, not cached, data for the domain in question.
Finally it queries one of the servers for demon.co.uk and gets:
;; ANSWER SECTION:
djwhome.demon.co.uk. 300 IN A 126.96.36.199
This only has a 5 minute lifetime (unusually short, but possibly a
consequence of being an ISP with statically addressed dial up users).
If, 10 minutes later, you want my address again, it will go to the
If one nameserver for a domain fails to respond, it tries the rest in
turn (typically randomising the order).
You can give it a list of forwarders which it uses instead of a first
principles approach, or before a first principles approach. That list
can contain multiple nameservers and it will fallback from one to the
next in the same way as it does for the list of authorative servers.
You can also define your own local sub-domains. Only if you want the
rest of the internet to know about those domains does any external
server need to know about them (in which case you start having to pay
Incidentally this logic, as well as it being simple forgery of an
unauthorised domain name, is why you shouldn't use the sort of anti-spam
address that you are currently using. Because nor-this-part.uk
doesn't exist in the .uk domain, it will only ever be negatively cached
for a few seconds. Because this newsgroup is gatewayed to email,
multiple mail servers *will* try to look up this address. They will all
have to query the actual uk nameserver because the non-existence will
not be cached for long enough. This is even worse when done with a
top level domain. (Even if you aren't running BIND, your ISP will
be, or will be running software using the same protocols.)
There is a special top level domain, invalid, for this purpose, although
it doesn't currently seem to be optimised (it might still be special
code in the root servers).
More information about the questions