Re: [DNSOP] Clarifying referrals (#35)

Paul Vixie <> Tue, 14 November 2017 04:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 14487126E64 for <>; Mon, 13 Nov 2017 20:11:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N4CB9iyJuOpn for <>; Mon, 13 Nov 2017 20:11:38 -0800 (PST)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CBF5C1243F6 for <>; Mon, 13 Nov 2017 20:11:38 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:2c81:6cd7:5872:4e2f] (unknown [IPv6:2001:559:8000:c9:2c81:6cd7:5872:4e2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 4A89D61FA2; Tue, 14 Nov 2017 04:11:38 +0000 (UTC)
Message-ID: <>
Date: Mon, 13 Nov 2017 20:11:37 -0800
From: Paul Vixie <>
User-Agent: Postbox 5.0.20 (Windows/20171012)
MIME-Version: 1.0
To: Robert Edmonds <>
CC: "" <>
References: <> <> <> <> <> <20171113085235.2fddd72a@p50.localdomain> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] Clarifying referrals (#35)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Nov 2017 04:11:40 -0000

Robert Edmonds wrote:
> Paul Vixie wrote:
>> the implication of REFUSED is that if someone else asked this question, we
>> might be able to answer. so if BIND is doing what you say, it's wrong.
> In theory, any authoritative nameserver could secretly also be a
> resolver that will answer from cache if the right client sends it the
> same question. Does that make it OK, then?

no, because it can, should, and probably will have different responses 
and different reasons for those responses based on the query's RD value.

in this sense, we (i was at ISC when it happened) got 
"allow-query-cache" almost precisely wrong. with what confusion, you can 
now witness.

> The REFUSED RCODE is documented as:
>      Refused - The name server refuses to perform the specified operation
>      for policy reasons.  For example, a name server may not wish to
>      provide the information to the particular requester, or a name
>      server may not wish to perform a particular operation (e.g., zone
>      transfer) for particular data.
> In this case the server's policy would be that it doesn't perform a
> particular operation (i.e., QUERY) for particular data (i.e., data that
> it's not authoritative for).

if the reason were due to something about the specified operation such 
as the RD bit (like, it's 1 when it has to be 0) then i'd follow your 
reasoning here.

> Where does the implication that REFUSED is only appropriate if the
> server might be able to answer if "someone else" asks the question come
> from?

first, the example, "provide the information to the particular 
requester". as in, some other requester might get a non-REFUSED answer.

second, the example, "zone transfer". when i added my very first BIND4 
feature it was "allow-xfer" and i did indeed return REFUSED when asked 
by someone who wasn't allowed. this also happens on TSIG failures today.

third, the differences and distinctions in initiator behaviour. there is 
no difference in desired or expected initiator behaviour between "i am 
out of disk space and can't write a secondary zone file, so while i am 
configured to be a secondary server for this zone, i can't do it", vs. 
"i am configured to be a primary server for this zone but there is no 
zone file so i can't do it", vs. "i am not configured to be a server for 
this zone and either RA=0 or RD=0 or both".

in all three cases, we want the initiator to cache our inability to 
satisfy it so as not to melt the tubez with repeated (doomed) requests, 
try other name servers (but not other addresses for this name server), 
and retry here later (after, say, ten minutes) in case the situation 
improves. the only hoped-for reason i can imagine for sending SERVFAIL 
in the first two cases and REFUSED in the last case is to control the 
logging on the initiator -- expecting the sysadmin to behave differently 
when cleaning up the resulting mess.

using REFUSED vs. SERVFAIL in this case is a distinction without a 
difference, and a costly one, because REFUSED actually has a different 
intended reaction in the initiator than SERVFAIL. but i've covered that 
in the archives (several times) and won't repeat it again here.

P Vixie