Re: [DNSOP] Refusing NS queries, was Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)

"John Levine" <> Mon, 28 December 2015 04:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 13A831A8886 for <>; Sun, 27 Dec 2015 20:33:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.663
X-Spam-Level: *
X-Spam-Status: No, score=1.663 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id B8RiebZ2AYMj for <>; Sun, 27 Dec 2015 20:33:54 -0800 (PST)
Received: from ( [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A99DB1A8885 for <>; Sun, 27 Dec 2015 20:33:53 -0800 (PST)
Received: (qmail 31836 invoked from network); 28 Dec 2015 04:33:51 -0000
Received: from unknown ( by with QMQP; 28 Dec 2015 04:33:51 -0000
Date: Mon, 28 Dec 2015 04:33:29 -0000
Message-ID: <20151228043329.48353.qmail@ary.lan>
From: John Levine <>
In-Reply-To: <>
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Refusing NS queries, was Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Dec 2015 04:33:55 -0000

>> Unless, of course, the target doesn't like you and refuses your
>> queries for policy reasons.
>Note that I said "unconditionally refusing all NS queries". Conditionally
>refusing queries based on query source behaviour is off-topic.

Perhaps the target doesn't like anyone.  Here's the entire discussion
of "refused" from RFC 1034, for the benefit of people who haven't read
it lately:

                5               Refused - The name server refuses to
                                perform the specified operation for
                                policy reasons.  For example, a name
                                server may not wish to provide the
                                information to the particular requester,
                                or a name server may not wish to perform
                                a particular operation (e.g., zone
                                transfer) for particular data.

(It really is the entire discussion, the word "refused" appears
nowhere else.)

>The section in question of the draft under discussion talks about the
>specific case where a load balancer is returning REFUSED because it
>did not implement NS queries, ...

We know what the draft says.  That case sure sounds to me like it does
"not wish to perform a particular operation for particular data",
where the operation is a query and the data is NS records.  Yeah, it's
generally a bad idea, but so what?

If anyone thinks this isn't a valid use of refused, a citation to the
RFC that updates this part of RFC 1035 would be a good place to start.