[dns-operations] question regarding rcodes REFUSED vs NOTAUTH
Mark Andrews
marka at isc.org
Tue Jun 14 22:48:00 UTC 2016
In message <0FE2F15C-E1C0-47CC-8605-FE8464DF77A7 at iis.se>, Roger Murray writes:
>
> Hey everybody,
>
> I have some questions regarding expected rcodes and what can be found in
> the wild.
>
> Background:
> We are currently trying out Knot and noticed that it “broke†our
> monitoring. A perl script that checks the rcode of a request for a zone
> transfer and we expect it to return REFUSED (rcode 5), but Knot returns
> NOTAUTH (rcode 9). It is easy to fix the monitoring, but I got curious
> as to what the rcode should be. As far as I can tell by reading rfc’s
> (1035 and 2136) REFUSED (rcode 5) is a refusal for policy reasons while
> NOTAUTH (rcode 9) is that the nameserver is not authoritative for the
> zone.
>
>
> Questions:
> Is there more/another rfc that can shed more light on this difference?
REFUSED is or should be a policy based result.
NOTAUTH is a data driven result where data includes the list of
configured zones.
> What should the rcode be?
No RFC states what the rcode should be if you get the name wrong
on a AXFR query because AXFR doesn't fit with normal QUERY processing.
> Anyone know why different nameservers are implementing the response codes
> differently?
Different authors. NOTAUTH is more precise than REFUSED and that
is why I switched named to using it if the QNAME is wrong.
> Best regards,
> Roger Murray
> Systemspecialist DNS, IIS
> Mobil: +46 709 48 5242
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list