On 4/25/2010 12:01 AM, Josh Kuo wrote:
You need administrative access to see the overides to the normal
resolution
process.
Just so I understand this completely, by administrative access you
mean I need to be able to log in to each of the resolvers (not
administrative access on my local workstation to do a 'sudo dig
example.net <http://example.net> a +trace'), correct?
+trace only shows the workings of the standard iterative-resolution
algorithm, as if your local resolver, starting with only hardcoded
information about the root zone, were doing all of the work necessary to
obtain the requested information using *non-recursive* queries to trace
the delegation chain(s).
However, if you send *recursive* queries, essentially giving some other
resolver _carte_blanche_ to resolve the name any way it feels fit, then
+trace isn't going to tell you diddly about whatever
algorithm/configuration the other resolver might be using to get the
information for you. It's basically a "black box" as far as you're
concerned -- queries in, responses out. You don't know how or where it
got the information.
A follow up question to that... is it even possible to perform such a
trace (revealing all resolvers) with the DNS protocol? Or is this
purely a designed limitation of dig?
Feel free to propose an equivalent layer to the DNS protocol as ICMP is
to IP/TCP/UDP and get all of the DNS implementations out there to
support the new protocol extension.
Then it might be possible to write a program analogous to "traceroute"
for DNS.
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
