Re: [DNSOP] Clarifying referrals (#35)

Paul Vixie <> Mon, 13 November 2017 19:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 79D30129B06 for <>; Mon, 13 Nov 2017 11:28:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9tdJqS3bqMjw for <>; Mon, 13 Nov 2017 11:28:45 -0800 (PST)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 35353120721 for <>; Mon, 13 Nov 2017 11:28:45 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:dc3:59e3:1fa5:69dc] (unknown [IPv6:2001:559:8000:c9:dc3:59e3:1fa5:69dc]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 2A08361FA2; Mon, 13 Nov 2017 19:28:44 +0000 (UTC)
Message-ID: <>
Date: Mon, 13 Nov 2017 11:28:43 -0800
From: Paul Vixie <>
User-Agent: Postbox 5.0.20 (Windows/20171012)
MIME-Version: 1.0
To: Matthew Pounsett <>
CC:, "" <>, Andrew Sullivan <>
References: <> <> <> <> <> <> <> <20171113085235.2fddd72a@p50.localdomain> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Clarifying referrals (#35)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Nov 2017 19:28:46 -0000

Matthew Pounsett wrote:
> On 13 November 2017 at 10:55, Paul Vixie <
> <>> wrote:
> > why is this nor a broken configuration?
> It's my understanding that SERVFAIL indicates that the server sending
> the RCODE–or in the case of a recursive response, the upstream
> authoritative server–has a broken configuration.  I don't believe
> SERVFAIL indicates "you followed a lame delegation."  As far as I'm
> aware, we don't have a clearly defined signal for that, which is why
> many implementations chose to use REFUSED in that case.

someone asking you an RD=0 question about a zone you're not 
authoritative for indicates a misconfiguration somewhere. this is what 
SERVFAIL is for, because at the signalling level, it tells the client 
that no possible query about that name can succeed, and it ought to stop 
sending questions like that to this server. it's no different in 
principle from "i'm out of disk space, so i can't fetch the zone, so 
even though i'm supposed to be a secondary, i can't do it right now."

> >
> I haven't got the time this morning to search release notes, but I'm
> fairly sure that in 2012, when you wrote that article, current versions
> of BIND were already handing out REFUSED to indicate "I'm not
> authoritative for that."  At the very least it began doing that not long
> after.

the implication of REFUSED is that if someone else asked this question, 
we might be able to answer. so if BIND is doing what you say, it's wrong.

> ... If that were a problem, given BIND's market share, we should be
> seeing widespread brokenness, but I don't think we are–none that's
> making it from my support department to me or to our hostmaster@
> accounts, at any rate.

yikes! you remind me of the guy who said on nanog a few years back that 
since he wasn't seeing spoofed-source ddos attacks any more, we should 
all stop worrying about them.

your lived experience can be cause for concern, but never for complacency.

P Vixie