Re: [DNSOP] Clarifying referrals (#35)

Paul Vixie <> Wed, 15 November 2017 03:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 30F22128959 for <>; Tue, 14 Nov 2017 19:42:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YgD37nCl2zM6 for <>; Tue, 14 Nov 2017 19:42:48 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 23482126B72 for <>; Tue, 14 Nov 2017 19:42:48 -0800 (PST)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id E5E8461FA2; Wed, 15 Nov 2017 03:42:47 +0000 (UTC)
Message-ID: <>
Date: Tue, 14 Nov 2017 19:42:45 -0800
From: Paul Vixie <>
User-Agent: Postbox 5.0.20 (Windows/20171012)
MIME-Version: 1.0
To: Dave Lawrence <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] Clarifying referrals (#35)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Nov 2017 03:42:49 -0000

Dave Lawrence wrote:
> Evan Hunt writes:
>> Okay. I haven't encountered a resolver that propgates REFUSED from the
>> authority to the stub.  If there is such a beast, then IMHO that, not the
>> authority, is the one that's mis-using REFUSED; REFUSED only makes sense on
>> a hop-by-hop basis.

i'll stop arguing about it.

> Very much agree.  I'd be surprised to see REFUSED from a resolver.

i think you'd be within your rights as a stub to treat REFUSED as your 
lack of permission to use that recursive, and not an end-to-end signal. 
this bolsters evan's observation of its ambiguity.

> Now on the other hand, using extended-error for signalling from a
> resolver that the known authorities all returned REFUSED, that's
> interesting and can be made unambiguous as a code apart from the
> currently proposed extended-error 4, "Prohibited".

for each code we have to be explicit about what we expect the initiator 
to do in response.

the reason i use SERVFAIL for NOTAUTH is because what i want the 
initiator to do when i'm configured as primary but can't read my zone 
file, or am configured as secondary but can't write my zone file, is the 
same as what i want when i'm not configured for the zone: cache this 
failure under a hold-down timer so as not to melt the tubez, but do try 
again later in case i'm merely late to change my config, or flubbed my 
config in some way.

i think the need for a hold-down timer on cached SERVFAIL may be 
catching a number of you by surprise. but really, what we want for 
NOTAUTH, we already have to have for SERVFAIL.

administrative denial is something else.

P Vixie