Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Paul Vixie <> Thu, 01 February 2018 17:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 93AD412EB9B for <>; Thu, 1 Feb 2018 09:11:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 20hoQDpKrtYF for <>; Thu, 1 Feb 2018 09:11:41 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8021A12EB8B for <>; Thu, 1 Feb 2018 09:11:38 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:694c:5ab8:f09f:e87e] (unknown [IPv6:2001:559:8000:c9:694c:5ab8:f09f:e87e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 595917594D; Thu, 1 Feb 2018 17:11:38 +0000 (UTC)
Message-ID: <>
Date: Thu, 01 Feb 2018 09:11:37 -0800
From: Paul Vixie <>
User-Agent: Postbox 5.0.22 (Windows/20171208)
MIME-Version: 1.0
To: Tony Finch <>
CC:, Ray Bellis <>
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 01 Feb 2018 17:11:42 -0000

Tony Finch wrote:
> Paul Vixie<>  wrote:
>> Ray Bellis wrote:
>>> Won't that cause the resolver to cycle through every root server letter
>>> hoping for one that doesn't give that answer?
>> yes. that's what REFUSED is taken to mean, and also, why we never use it for
>> data-dependent conditions. only the initiator's identity matters in the
>> consideration of whether to transmit REFUSED or not.
> That's not entirely true - if you are asking an authoritative-only server
> then you get REFUSED or not depending on whether the QNAME is in an
> authoritative zone.

that's what this group has reached consensus on in recent months, yes. 
to me that's a servfail condition, because the initiator may have better 
knowledge than the server operator. i can re-quote the scriptures on 
this point if my non-participation in the recent consensus seems 

servfail and refused are equivalent in one sense: the proper reaction to 
either is to remove that server from consideration for that query (retry 
won't help), and to perhaps keep it out of consideration for similar 
queries (same apparent bailiwick) for some holddown period.

P Vixie