[dns-operations] question regarding rcodes REFUSED vs NOTAUTH

Mark Andrews marka at isc.org
Tue Jun 14 22:48:00 UTC 2016

In message <0FE2F15C-E1C0-47CC-8605-FE8464DF77A7 at iis.se>, Roger Murray writes:
> Hey everybody,
> I have some questions regarding expected rcodes and what can be found in
> the wild.
> Background:
> We are currently trying out Knot and noticed that it “broke” our
> monitoring. A perl script that checks the rcode of a request for a zone
> transfer and we expect it to return REFUSED (rcode 5), but Knot returns
> NOTAUTH (rcode 9).  It is easy to fix the monitoring, but I got curious
> as to what the rcode should be. As far as I can tell by reading rfc’s
> (1035 and 2136) REFUSED (rcode 5) is a refusal for policy reasons while
> NOTAUTH (rcode 9) is that the nameserver is not authoritative for the
> zone.
> Questions:
> Is there more/another rfc that can shed more light on this difference?

REFUSED is or should be a policy based result.

NOTAUTH is a data driven result where data includes the list of
configured zones.

> What should the rcode be?

No RFC states what the rcode should be if you get the name wrong
on a AXFR query because AXFR doesn't fit with normal QUERY processing.

> Anyone know why different nameservers are implementing the response codes
> differently?

Different authors.  NOTAUTH is more precise than REFUSED and that
is why I switched named to using it if the QNAME is wrong.

> Best regards,
> Roger Murray
> Systemspecialist DNS, IIS
> Mobil: +46 709 48 5242

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list