[dns-operations] question regarding rcodes REFUSED vs NOTAUTH

Paul Vixie paul at redbarn.org
Sat Jun 18 20:46:29 UTC 2016

Mark Andrews wrote:
> In message<0FE2F15C-E1C0-47CC-8605-FE8464DF77A7 at iis.se>, Roger Murray writes:
>> Hey everybody,
>> I have some questions regarding expected rcodes and what can be found in
>> the wild. ...
>> Questions:
>> Is there more/another rfc that can shed more light on this difference?
> REFUSED is or should be a policy based result.
> NOTAUTH is a data driven result where data includes the list of
> configured zones.

while that sounds reasonable to me, i don't think there's an RFC that 
describes the use of NOTAUTH or the other recent RCODEs for use in 
QUERY. they are defined in RFC 2136 and an UPDATE initiator should 
expect to hear them.

>> Anyone know why different nameservers are implementing the response codes
>> differently?
> Different authors.  NOTAUTH is more precise than REFUSED and that
> is why I switched named to using it if the QNAME is wrong.

given that there's a recent AXFR clarification RFC, it's odd that noone 
proposed expanding the RCODE values available to a responder.

i do not think it's wise to answer QUERY with any opcode that did not 
exist when QUERY was defined, unless it's first proposed and accepted as 
a protocol change to QUERY. RFC 2136 does not do this.

P Vixie

More information about the dns-operations mailing list