<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body text="#000000" bgcolor="#FFFFFF">...<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:WBrown@e1b.org">WBrown@e1b.org</a> wrote:
<blockquote
cite="mid:OF4B8FA96C.5F66055F-ON85257B26.00605669-85257B26.0060B5F4@e1b.org"
type="cite">
<pre wrap="">I mistakenly wrote on 03/06/2013 11:36:20 AM:
</pre>
<blockquote type="cite"><pre wrap="">Given that no properly configured server should be querying this
</pre></blockquote>
<pre wrap=""><!---->recursive
</pre>
<blockquote type="cite"><pre wrap="">name server for isc.org,
</pre></blockquote>
<pre wrap=""><!---->
I meant to describe it as an authoritative server. Duh. I'm having one of
those days....
Sorry for the confusion.
So to rephrase the question...
Is there any reason why recursive queries to an authoritative server that
would normally get a REFUSED reply shouldn't be dropped instead of getting
an answer?
Maybe now that I've had lunch the brain will work better.</pre>
</blockquote>
<pre wrap="">
</pre>
if the authority server in question is configured to be a primary or
secondary server for a zone which is at or above the qname, then the
correct answer is either authoritative-positive, authoritative-negative,
or servfail. servfail is if the zone data source is unavailable, such
as a missing primary zone file or an expired secondary zone cache file.<br>
<br>
if said authoritity server is not configured to be a primary or
secondary for any zone at or above the qname, then the proper response
is refused. (not an upward delegation as a i once had it in bind8 -- my
apologies to all.)<br>
<br>
the reason for these differences is to help in diagnostics.<br>
<br>
recursive servers should behave reasonably, which at a minimum means,
not repeating the same query immediately. this can be done with a
hold-down timer or a negative cache, at the whim of the implementor.<br>
<br>
since many recursive servers and many spoofed-source ddos attackers
repeat the query immediately, i'm in agreement that RRL should have a
threshold for "refused".<br>
<br>
paul<br>
</body></html>