Create a free Team What is Teams? Learn more. Different possible formats for the Bind9 statistics file Ask Question. Asked 9 years, 11 months ago. Active 9 years, 11 months ago. Viewed 2k times. Improve this question. Ladadadada Ladadadada The first one should give you the output you want. From memory, rndc stats didn't produce any output at all but caused the statistics file to be regenerated.
The Appaloosa script uses rndc in this way. Add a comment. Active Oldest Votes. There is, however, a new JSON interface that may be easier. If someone wants to send me an XML or json output of bind 9. Nice plugin. You should submit it to the munin contrib-repository on github, more people would find it there. Into The Void. November 1st, Using Mozilla Firefox Best greetings from Germany.
March 11th, March 13th, Using Debian IceWeasel A mismatch between servers on the same address is not expected to cause operational problems, but the option to disable COOKIE responses so that all servers have the same behavior is provided out of an abundance of caution. This is used by the server to determine whether the resolver has talked to it before. Resolvers which do not send a correct COOKIE option may be limited to receiving smaller responses via the nocookie-udp-size option.
The default is not to return stale answers. Stale answers can also be enabled or disabled at runtime via rndc serve-stale on or rndc serve-stale off ; these override the configured setting.
Note that if stale answers have been disabled by rndc , they cannot be re-enabled by reloading or reconfiguring named ; they must be re-enabled with rndc serve-stale on , or the server must be restarted. Information about stale answers is logged under the serve-stale log category. This option defines the amount of time in milliseconds that named waits before attempting to answer the query with a stale RRset from cache.
If a stale answer is found, named continues the ongoing fetches, attempting to refresh the RRset in cache until the resolver-query-timeout interval is reached. This option is off by default, which is equivalent to setting it to off or disabled. It also has no effect if stale-answer-enable is disabled. The maximum value for this option is resolver-query-timeout minus one second. The minimum value, 0 , causes a cached stale RRset to be immediately returned if it is available while still attempting to refresh the data in cache.
RFC recommends a value of milliseconds. Default no. The default stale-refresh-time is 30 seconds, as RFC recommends that attempts to refresh to be done no more frequently than every 30 seconds. A value below is silently raised to The default value is , but the max-udp-size option may further limit the response size as the default for max-udp-size is If not set, the system generates a random secret at startup.
If there are multiple secrets specified, the first one listed in named. The others are only used to verify returned cookies. The EDNS Padding option is intended to improve confidentiality when DNS queries are sent over an encrypted channel, by reducing the variability in packet sizes. If a query:. If these conditions are not met, the response is not padded. If block-size is 0 or the ACL is none; , this feature is disabled and no padding occurs; this is the default.
If block-size is greater than , a warning is logged and the value is truncated to Block sizes are ordinarily expected to be powers of two for instance, , but this is not mandatory. This causes named to send specially formed queries once per day to domains for which trust anchors have been configured via, e.
The key IDs for each domain are sorted smallest to largest prior to encoding. The query type is NULL. By monitoring these queries, zone operators are able to see which resolvers have been updated to trust a new key; this may help them decide when it is safe to remove an old one. See the description of provide-ixfr in server Statement Definition and Usage. See the description of request-ixfr in server Statement Definition and Usage.
See the description of request-expire in server Statement Definition and Usage. If yes , then an IPv4-mapped IPv6 address matches any address-match list entries that match the corresponding IPv4 address. This option was introduced to work around a kernel quirk in some operating systems that causes IPv4 TCP connections, such as zone transfers, to be accepted on an IPv6 socket using mapped addresses. This caused address-match lists designed for IPv4 to fail to match.
However, named now solves this problem internally. The use of this option is discouraged. When yes and the server loads a new version of a primary zone from its zone file or receives a new version of a secondary file via zone transfer, it compares the new version to the previous one and calculates a set of differences.
By allowing incremental zone transfers to be used for non-dynamic zones, this option saves bandwidth at the expense of increased CPU and memory consumption at the primary server. In particular, if the new version of a zone is completely different from the previous one, the set of differences is of a size comparable to the combined size of the old and new zone versions, and the server needs to temporarily allocate memory to hold this complete difference set.
It is off for all zones by default. Note: if inline signing is enabled for a zone, the user-provided ixfr-from-differences setting is ignored for that zone. This should be set when there are multiple primary servers for a zone and the addresses refer to different machines. If yes , named does not log when the serial number on the primary is less than what named currently has. There are three possible settings:. The command rndc sign zonename causes named to load keys from the key repository and sign the zone with all keys that are active.
Note: once keys have been loaded for a zone the first time, the repository is searched for changes periodically, regardless of whether rndc loadkeys is used.
The recheck interval is defined by dnssec-loadkeys-interval. This is the default setting. This option may only be activated at the zone level; if configured at the view or options level, it must be set to off. If set to yes , DNSSEC validation is enabled, but a trust anchor must be manually configured using a trust-anchors statement or the managed-keys or trusted-keys statements, both deprecated.
If there is no configured trust anchor, validation does not take place. The default is auto , unless BIND is built with configure --disable-auto-validation , in which case the default is yes. The default root trust anchor is stored in the file bind. A copy of the file is installed along with BIND 9, and is current as of the release date. If the root key expires, a new copy of bind. To prevent problems if bind. Relying on this is not recommended, however, as it requires named to be recompiled with a new key when the root key expires.
The file cannot be used to store keys for other zones. The root key in bind. This specifies a list of domain names at and beneath which DNSSEC validation should not be performed, regardless of the presence of a trust anchor at or above those names. This may be used, for example, when configuring a top-level domain intended only for local use, so that the lack of a secure delegation for that domain in the root zone does not cause validation failures.
This is similar to setting a negative trust anchor except that it is a permanent configuration, whereas negative trust anchors expire and are removed after a set period of time. Setting this option to yes leaves named vulnerable to replay attacks. Query logging provides a complete log of all incoming queries and all query errors. The querylog option specifies whether query logging should be active when named first starts. If querylog is not specified, then query logging is determined by the presence of the logging category queries.
Query logging can also be activated at runtime using the command rndc querylog on , or deactivated with rndc querylog off. The default varies according to usage area. For primary zones the default is fail. For secondary zones the default is warn. For answers received from the network response , the default is ignore. The default is to warn. Other possible values are fail and ignore.
This checks whether the MX record appears to refer to an IP address. This option is used to check for non-terminal wildcards. The use of non-terminal wildcards is almost always as a result of a lack of understanding of the wildcard matching algorithm RFC This option affects primary zones. The default yes is to check for non-terminal wildcards and issue a warning. This performs post-load zone integrity checks on primary zones. For MX and SRV records, only in-zone hostnames are checked for out-of-zone hostnames, use named-checkzone.
For NS records, only names below top-of-zone are checked for out-of-zone names and glue consistency checks, use named-checkzone. Warnings are emitted if the TXT record does not exist; they can be suppressed with check-spf. When performing integrity checks, also check that sibling glue exists. The default is warn. This is similar to the dnssec-signzone -z command-line option. If there is any algorithm for which this requirement is not met, this option is ignored for that algorithm.
This is similar to the dnssec-signzone -x command-line option. If update-check-ksk is set to no , this option is ignored. This allows a dynamic zone to transition from secure to insecure i. It is expected that this requirement will be eliminated in a future release. Note that if a zone has been configured with auto-dnssec maintain and the private keys remain accessible in the key repository, the zone will be automatically signed again the next time named is started.
This will also be controlled by synth-from-dnssec. The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external name servers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.
This option is only meaningful if the forwarders list is not empty. A value of first is the default and causes the server to query the forwarders first; if that does not answer the question, the server then looks for the answer itself.
If only is specified, the server only queries the forwarders. This specifies a list of IP addresses to which queries are forwarded. The default is the empty list no forwarding. Forwarding can also be configured on a per-domain basis, allowing for the global forwarding options to be overridden in a variety of ways. Dual-stack servers are used as servers of last resort, to work around problems in reachability due to the lack of support for either IPv4 or IPv6 on the host machine.
This specifies host names or addresses of machines with access to both IPv4 and IPv6 transports. If a hostname is used, the server must be able to resolve the name using only the transport it has. If the machine is dual-stacked, the dual-stack-servers parameter has no effect unless access to a transport has been disabled on the command line e.
Access to the server can be restricted based on the IP address of the requesting system. This is only applicable for secondary zones i. If this option is set in view or options , it is globally applied to all secondary zones. If set in the zone statement, the global value is overridden. This specifies which hosts are allowed to ask ordinary DNS questions. If not specified, the default is to allow queries from all hosts.
This specifies which local addresses can accept ordinary DNS questions. Note that allow-query-on is only checked for queries that are permitted by allow-query. A query must be allowed by both ACLs, or it is refused. This specifies which hosts are allowed to get answers from the cache. If allow-recursion is not set, BIND checks to see if the following parameters are set, in order: allow-query-cache and allow-query unless recursion no; is set.
If neither of those parameters is set, the default localnets; localhost; is used. This specifies which local addresses can send answers from the cache. If allow-query-cache-on is not set, then allow-recursion-on is used if set. Otherwise, the default is to allow cache responses to be sent from any address.
Note: both allow-query-cache and allow-query-cache-on must be satisfied before a cache response can be sent; a client that is blocked by one cannot be allowed by the other. This specifies which hosts are allowed to make recursive queries through this server. BIND checks to see if the following parameters are set, in order: allow-query-cache and allow-query.
This specifies which local addresses can accept recursive queries. If allow-recursion-on is not set, then allow-query-cache-on is used if set; otherwise, the default is to allow recursive queries on all addresses. Any client permitted to send recursive queries can send them to any address on which named is listening. Note: both allow-recursion and allow-recursion-on must be satisfied before recursion is allowed; a client that is blocked by one cannot be allowed by the other.
When set in the zone statement for a primary zone, this specifies which hosts are allowed to submit Dynamic DNS updates to that zone. The default is to deny updates from all hosts. In general, this option should only be set at the zone level. While a default value can be set at the options or view level and inherited by zones, this could lead to some zones unintentionally allowing updates.
When set in the zone statement for a secondary zone, this specifies which hosts are allowed to submit Dynamic DNS updates and have them be forwarded to the primary. Note that enabling the update forwarding feature on a secondary server may expose primary servers to attacks if they rely on insecure IP-address-based access control; see Dynamic Update Security for more details. In general this option should only be set at the zone level.
While a default value can be set at the options or view level and inherited by zones, this can lead to some zones unintentionally forwarding updates.
This specifies which hosts are allowed to receive zone transfers from the server. If not specified, the default is to allow transfers to all hosts. The transport level limitations can also be specified. Either option can be specified; if both are used, both constraints must be satisfied in order for the transfer to be allowed. This specifies a list of addresses which the server does not accept queries from or use to resolve a query.
Queries from these addresses are not responded to. This specifies a list of addresses to which the server sends responses to TCP queries, in the same order in which they were received. This disables the processing of TCP queries in parallel.
This specifies a list of addresses which require responses to use case-insensitive compression. This ACL can be used when named needs to work with clients that do not comply with the requirement in RFC to use case-insensitive name comparisons when checking for matching domain names. If left undefined, the ACL defaults to none : case-insensitive compression is used for all clients.
If the ACL is defined and matches a client, case is ignored when compressing domain names in DNS responses sent to that client. It also ensures that the case of the query name exactly matches the case of the owner names of returned records, rather than matches the case of the records entered in the zone file. This allows responses to exactly match the query, which is required by some clients due to incorrect use of case-sensitive comparisons.
There are circumstances in which named does not preserve the case of owner names of records: if a zone file defines records of different types with the same name, but the capitalization of the name is different e.
This limitation may be addressed in a future release. However, domain names specified in the rdata of resource records i. This is the amount of time in milliseconds that the resolver spends attempting to resolve a recursive query before failing. The default and minimum is and the maximum is Setting it to 0 results in the default being used. This value was originally specified in seconds.
Values less than or equal to are treated as seconds and converted to milliseconds before applying the above limits. The interfaces, ports, and protocols that the server can use to answer queries may be specified using the listen-on and listen-on-v6 options. IPv6 addresses are ignored, with a logged warning. The server listens on all interfaces allowed by the address match list. If no listen-on is specified, the default is to listen for standard DNS queries on port 53 of all IPv4 interfaces.
If no listen-on-v6 is specified, the default is to listen for standard DNS queries on port 53 of all IPv6 interfaces. If the name ephemeral is used, an ephemeral key and certificate created for the currently running named process will be used. Use of an http specification requires tls to be specified as well.
If an unencrypted connection is desired for example, on load-sharing servers behind a reverse proxy , tls none may be used. These defaults may be overridden using the port , tls-port , https-port and http-port options. Multiple listen-on statements are allowed. The first two lines instruct the name server to listen for standard DNS queries on port 53 of the IP address 5.
Multiple listen-on-v6 options can be used. The third line instructs the server to listen for for DNS-over-TLS connections on port of the address db, using a TLS key and certificate specified in the a tls statement with the name example-tls.
The fifth line, in which the tls parameter is set to none , instructs the server to listen for unencrypted DNS queries over HTTP at the endpoint specified in myserver.. If the server does not know the answer to a question, it queries other name servers. For queries sent over IPv6, there is a separate query-source-v6 option. The port range s is specified in the use-v4-udp-ports for IPv4 and use-v6-udp-ports for IPv6 options, excluding the ranges specified in the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively.
The defaults of the query-source and query-source-v6 options are:. If such an interface is available, named uses the corresponding system default range; otherwise, it uses its own defaults:. The defaults of the avoid-v4-udp-ports and avoid-v6-udp-ports options are:.
Make sure the ranges are sufficiently large for security. A desirable size depends on several parameters, but we generally recommend it contain at least ports 14 bits of entropy. Explicit configuration of use-v4-udp-ports and use-v6-udp-ports is encouraged, so that the ranges are sufficiently large and are reasonably independent from the ranges used by other applications.
The operational configuration where named runs may prohibit the use of some ports. For example, Unix systems do not allow named , if run without root privilege, to use ports less than If such ports are included in the specified or detected set of query ports, the corresponding query attempts will fail, resulting in resolution failures or delay.
It is therefore important to configure the set of ports that can be safely used in the expected operational environment. TCP queries always use a random unprivileged port. Specifying a single port is discouraged, as it removes a layer of protection against spoofing errors. The configured port must not be same as the listening port. See also transfer-source , notify-source and parental-source. BIND has mechanisms in place to facilitate zone transfers and set limits on the amount of load that transfers place on the system.
The following options apply to zone transfers. This helps to ensure that copies of the zones quickly converge on stealth servers. Optionally, a port may be specified with each also-notify address to send the notify messages to a port other than the default of An optional TSIG key can also be specified with each address to cause the notify messages to be signed; this can be useful when sending notifies to multiple views.
In place of explicit addresses, one or more named primaries lists can be used. If an also-notify list is given in a zone statement, it overrides the options also-notify statement. The default is the empty list no global notification list. Inbound zone transfers running longer than this many minutes are terminated. The default is minutes 2 hours.
The maximum value is 28 days minutes. Inbound zone transfers making no progress in this many minutes are terminated. The default is 60 minutes 1 hour. Outbound zone transfers running longer than this many minutes are terminated. Outbound zone transfers making no progress in this many minutes are terminated. The default is 20 per second.
The lowest possible rate is one per second; when set to zero, it is silently raised to one. This is the rate at which NOTIFY requests are sent when the name server is first starting up, or when zones have been newly added to the name server.
Secondary servers periodically query primary servers to find out if zone serial numbers have changed. To limit the amount of bandwidth used, BIND 9 limits the rate at which queries are sent. The value of the serial-query-rate option, an integer, is the maximum number of queries sent per second.
Zone transfers can be sent using two different formats, one-answer and many-answers. The transfer-format option is used on the primary server to determine which format it sends.
If a message grows larger than this size, additional messages are used to complete the zone transfer. Note, however, that this is a hint, not a hard limit; if a message contains a single resource record whose RDATA does not fit within the size limit, a larger message will be permitted so the record can be transferred.
Valid values are between and octets; any values outside that range are adjusted to the nearest value within it. The default is , which was selected to improve message compression; most DNS messages of this size will compress to less than bytes. Larger messages cannot be compressed as effectively, because is the largest permissible compression offset pointer in a DNS message. This option is mainly intended for server testing; there is rarely any benefit in setting a value other than the default.
This is the maximum number of inbound zone transfers that can run concurrently. The default value is Increasing transfers-in may speed up the convergence of secondary zones, but it also may increase the load on the local system. This is the maximum number of outbound zone transfers that can run concurrently. Zone transfer requests in excess of the limit are refused. This is the maximum number of inbound zone transfers that can concurrently transfer from a given remote name server.
The default value is 2. Increasing transfers-per-ns may speed up the convergence of secondary zones, but it also may increase the load on the remote name server. It also determines the source IPv4 address, and optionally the UDP port, used for the refresh queries and forwarded dynamic updates. This statement sets the transfer-source for all zones, but can be overridden on a per-view or per-zone basis by including a transfer-source statement within the view or zone block in the configuration file.
This option is the same as transfer-source , except zone transfers are performed using IPv6. This indicates an alternate transfer source if the one listed in transfer-source fails and use-alt-transfer-source is set. To avoid using the alternate transfer source, set use-alt-transfer-source appropriately and do not depend upon getting an answer back to the first refresh query.
This indicates an alternate transfer source if the one listed in transfer-source-v6 fails and use-alt-transfer-source is set. This indicates whether the alternate transfer sources should be used. If views are specified, this defaults to no ; otherwise, it defaults to yes. This statement sets the notify-source for all zones, but can be overridden on a per-zone or per-view basis by including a notify-source statement within the zone or view block in the configuration file.
This option acts like notify-source , but applies to notify messages sent to IPv6 addresses. See Query Address about how the available ports are determined. For example, with the following configuration:. UDP ports of IPv6 messages sent from named are in one of the following ranges: to , to , and to Note: the desired range can also be represented only with use-v4-udp-ports and use-v6-udp-ports , and the avoid- options are redundant in that sense; they are provided for backward compatibility and to possibly simplify the port specification.
Scaled values are allowed when specifying resource limits. For example, 1G can be used instead of to specify a limit of one gigabyte. The following options set operating system resource limits for the name server process. Some operating systems do not support some or any of the limits; on such systems, a warning is issued if an unsupported limit is used. This sets the maximum size of a core dump. The default is default. This sets the maximum amount of data memory the server may use.
This is a hard limit on server memory usage; if the server attempts to allocate memory in excess of this limit, the allocation will fail, which may in turn leave the server unable to perform DNS service.
Therefore, this option is rarely useful as a way to limit the amount of memory used by the server, but it can be used to raise an operating system data size limit that is too small by default.
To limit the amount of memory used by the server, use the max-cache-size and recursive-clients options instead. This sets the maximum number of files the server may have open concurrently. The default is unlimited. This sets the maximum amount of stack memory the server may use. When the journal file approaches the specified size, some of the oldest transactions in the journal are automatically removed.
The largest permitted value is 2 gigabytes. Very small values are rounded up to bytes. It is possible to specify unlimited , which also means 2 gigabytes. If the limit is set to default or left unset, the journal is allowed to grow up to twice as large as the zone. There is little benefit in storing larger journals. This sets the maximum number of records permitted in a zone. The default is zero, which means the maximum is unlimited. Because each recursing client uses a fair bit of memory on the order of 20 kilobytes , the value of the recursive-clients option may have to be decreased on hosts with limited memory.
When this lower quota is exceeded, incoming requests are accepted, but for each one, a pending request is dropped. This is the maximum number of simultaneous client TCP connections that the server accepts. The default values are 10 and This value should reflect how many queries come in for a given name in the time it takes to resolve that name. If the number of queries exceeds this value, named assumes that it is dealing with a non-responsive zone and drops additional queries.
If it gets a response after dropping queries, it raises the estimate. The estimate is then lowered in 20 minutes if it has remained unchanged. If clients-per-query is set to zero, there is no limit on the number of clients per query and no queries are dropped.
If max-clients-per-query is set to zero, there is no upper bound other than that imposed by recursive-clients. This sets the maximum number of simultaneous iterative queries to any one domain that the server permits before blocking new queries for data in or beneath that zone.
This value should reflect how many fetches would normally be sent to any one zone in the time it would take to resolve them. It should be smaller than recursive-clients. When many clients simultaneously query for the same name and type, the clients are all attached to the same fetch, up to the max-clients-per-query limit, and only one iterative query is sent.
However, when clients are simultaneously querying for different names or types, multiple queries are sent and max-clients-per-query is not effective as a limit.
Optionally, this value may be followed by the keyword drop or fail , indicating whether queries which exceed the fetch quota for a zone are dropped with no response, or answered with SERVFAIL. The default is drop. If fetches-per-zone is set to zero, there is no limit on the number of fetches per query and no queries are dropped. The default is zero. The current list of active fetches can be dumped by running rndc recursing.
The list includes the number of active fetches for each domain and the number of queries that have been passed allowed or dropped spilled as a result of the fetches-per-zone limit. Note: these counters are not cumulative over time; whenever the number of active fetches for a domain drops to zero, the counter for that domain is deleted, and the next time a fetch is sent to that domain, it is recreated with the counters set to zero. This sets the maximum number of simultaneous iterative queries that the server allows to be sent to a single upstream name server before blocking additional queries.
This value should reflect how many fetches would normally be sent to any one server in the time it would take to resolve them. Optionally, this value may be followed by the keyword drop or fail , indicating whether queries are dropped with no response or answered with SERVFAIL, when all of the servers authoritative for a zone are found to have exceeded the per-server quota. The default is fail. If fetches-per-server is set to zero, there is no limit on the number of fetches per query and no queries are dropped.
The fetches-per-server quota is dynamically adjusted in response to detected congestion. As queries are sent to a server and either are answered or time out, an exponentially weighted moving average is calculated of the ratio of timeouts to responses.
The fetch-quota-params options can be used to adjust the parameters for this calculation. This sets the parameters to use for dynamic resizing of the fetches-per-server quota in response to detected congestion. The first argument is an integer value indicating how frequently to recalculate the moving average of the ratio of timeouts to responses for each server. The default is , meaning that BIND recalculates the average ratio after every queries have either been answered or timed out.
A higher discount rate causes recent events to weigh more heavily when calculating the moving average; a lower discount rate causes past events to weigh more heavily, smoothing out short-term blips in the timeout ratio. This sets the maximum amount of memory to use for an individual cache database and its associated metadata, in bytes or percentage of total physical memory. By default, each view has its own separate cache, which means the total amount of memory required for cache data is the sum of the cache database sizes for all views unless the attach-cache option is used.
When the amount of data in a cache database reaches the configured limit, named starts purging non-expired records following an LRU-based strategy. Any positive value smaller than 2 MB is ignored and reset to 2 MB. The keyword unlimited , or the value 0 , places no limit on the cache size; records are then purged from the cache only when they expire according to their TTLs.
This preallocation serves as an optimization to eliminate extra latency introduced by resizing internal cache structures. On systems where detection of the amount of physical memory is not supported, percentage-based values fall back to unlimited. Note that the amount of physical memory available is only detected on startup, so named does not adjust the cache size limits if the amount of physical memory is changed at runtime.
This sets the listen-queue depth. The default and minimum is Non-zero values less than 10 are silently raised. A value of 0 may also be used; on most platforms this sets the listen-queue length to a system-defined default value.
This sets the amount of time in units of milliseconds that the server waits on a new TCP connection for the first message from the client. The default is 30 seconds , the minimum is 25 2. Values above the maximum or below the minimum are adjusted with a logged warning. Note: this value must be greater than the expected round-trip delay time; otherwise, no client will ever have enough time to submit a message.
This value can be updated at runtime by using rndc tcp-timeouts. The default is 30 seconds , the maximum is two minutes , and the minimum is 1 one-tenth of a second. The default is 30 seconds , the maximum is about 1. This sets the timeout value in units of milliseconds that the server sends in responses containing the EDNS TCP keepalive option, which informs a client of the amount of time it may keep the session open. Ordinarily this should be set to the same value as tcp-keepalive-timeout.
The server performs zone maintenance tasks for all zones marked as dialup whenever this interval expires. The default is 60 minutes. Reasonable values are up to 1 day minutes. If set to 0, no zone maintenance for these zones occurs. The server scans the network interface list every interface-interval minutes. The default is 60 minutes; the maximum value is 28 days minutes. If set to 0, interface scanning only occurs when the configuration file is loaded, or when automatic-interface-scan is enabled and supported by the operating system.
After the scan, the server begins listening for queries on any newly discovered interfaces provided they are allowed by the listen-on configuration , and stops listening on interfaces that have gone away. The name server normally returns the RRs within the RRset in an indeterminate order but see the rrset-order statement in RRset Ordering. The client resolver code should rearrange the RRs as appropriate: that is, using any addresses on the local net in preference to other addresses.
However, not all resolvers can do this or are correctly configured.
0コメント