Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706

Tony Finch <> Thu, 06 April 2017 11:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7193112945F for <>; Thu, 6 Apr 2017 04:36:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cb7IUutEjZj3 for <>; Thu, 6 Apr 2017 04:35:59 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9F0861270A7 for <>; Thu, 6 Apr 2017 04:35:57 -0700 (PDT)
X-Cam-AntiVirus: no malware found
Received: from ([]:54061) by ( []:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1cw5hj-000d0e-ie (Exim 4.89) (return-path <>); Thu, 06 Apr 2017 12:35:55 +0100
Date: Thu, 06 Apr 2017 12:35:55 +0100
From: Tony Finch <>
To: Bjørn Mork <>
In-Reply-To: <>
Message-ID: <>
References: <>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="1870870841-1974694534-1491478555=:17574"
Archived-At: <>
Subject: Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Apr 2017 11:36:01 -0000

Bjørn Mork <> wrote:
> Recently I noticed a side effect of this configuration which I consider
> unwanted and unexpected: It changes how BIND replies to requests without
> the RD bit set. BIND will normally answer such requests with a "best
> possible redirection", using any matching NS set it has in its cache.
> Which often will be the root NS.  But using the RFC7706 example config,
> BIND will REFUSE all requests without RD set.

I agree this behaviour is unhelpful and weird. It seems to come from the
following bit of the source, though the comment doesn't help very much to
explain the whys or wherefores.;a=blob;f=bin/named/query.c;h=0cfdf9288fb16a8f991e7a31f3248118add691d5;hb=HEAD#l1040

	 * Non recursive query to a static-stub zone is prohibited; its
	 * zone content is not public data, but a part of local configuration
	 * and should not be disclosed.
	if (dns_zone_gettype(zone) == dns_zone_staticstub &&
	    !RECURSIONOK(client)) {
		return (DNS_R_REFUSED);

You might be able to work around the problem by adding a
match-recursion-only option to the recursive view, and adding a
non-recursive view that has allow-query-cache, and use attach-cache
so all views share the same cache. I have not tried this :-)

f.anthony.n.finch  <>  -  I xn--zr8h punycode
Viking, North Utsire, South Utsire, Northeast Forties: Westerly 5 to 7,
occasionally gale 8 at first in Viking and South Utsire, veering northwesterly
5 or 6. Rough, becoming moderate later. Occasional drizzle, fog patches
developing. Moderate, occasionally very poor.