[dns-operations] question regarding rcodes REFUSED vs NOTAUTH

Roger Murray roger.murray at iis.se
Tue Jun 14 12:36:59 UTC 2016

Hey everybody,

I have some questions regarding expected rcodes and what can be found in the wild.

We are currently trying out Knot and noticed that it “broke” our monitoring. A perl script that checks the rcode of a request for a zone transfer and we expect it to return REFUSED (rcode 5), but Knot returns NOTAUTH (rcode 9).  It is easy to fix the monitoring, but I got curious as to what the rcode should be. As far as I can tell by reading rfc’s (1035 and 2136) REFUSED (rcode 5) is a refusal for policy reasons while NOTAUTH (rcode 9) is that the nameserver is not authoritative for the zone.

Is there more/another rfc that can shed more light on this difference?
What should the rcode be?
Anyone know why different nameservers are implementing the response codes differently?

Best regards,
Roger Murray
Systemspecialist DNS, IIS
Mobil: +46 709 48 5242

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160614/0eb99074/attachment.sig>

More information about the dns-operations mailing list