[dns-operations] Recently closed open resolver and reflection attacks

Vernon Schryver vjs at rhyolite.com
Thu Mar 7 16:37:18 UTC 2013

> From: Edward Lewis <ed.lewis at neustar.biz>

> We chose SERVFAIL instead of REFUSED for that - in the sense that the =
> service failed by sending the querier to the wrong place.  I don't think =
> either is better than the other, just saying this because it's not =
> always clear what's the right RCODE.

It seems at best astonishing (as in "the least astonishment principle")
to have SERVFAIL usually mean "the server failed" but sometimes mean
"the client messed up and so we'll talk about a 'service' and not the
client and never mind that other client errors are answered with FORMERR

`grep -i SERVFAIL *.txt` in a directory with a bunch of RFCs finds the
following lines, all about errors or problem problems in the DNS server
and none concerning the DNS client:

              SERVFAIL    2       The name server encountered an internal
   processing of this section, signal SERVFAIL to the requestor and undo
   RCODE other than SERVFAIL or NOTIMP, then the requestor returns an
   4.6. If a response is received whose RCODE is SERVFAIL or NOTIMP, or
   exceeded and then returning SERVFAIL.  This is a problem when your
     SERVFAIL.  Therefore use of extensions should be "probed" such that
    2    ServFail  Server Failure                     [RFC 1035]
   In the event a server returns a NOTIMP, FORMERR or SERVFAIL response
        a permanent email delivery failure.  Finish.  If SERVFAIL is
   some broken name servers return SERVFAIL (RCODE 2), a temporary
         that zone.  Some servers issue SERVFAIL, whereas others turn
   server cannot perform an update, i.e., FORMERR, SERVFAIL, REFUSED,
         2    ServFail  Server Failure                     [RFC1035]
      error, e.g., a DNS RCODE of 2, commonly known as SERVFAIL, or
      If a query results in a "SERVFAIL" error response (rcode=2 in
   "SERVFAIL" from other DNS errors so that appropriate actions can be
   error response to the client (i.e., SERVFAIL) instead of dropping the
           2    ServFail  Server Failure                     [RFC1035]

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list