caching-only name server not caching or name serving
michael at kjorling.com
Sat Jun 22 20:31:36 UTC 2002
-----BEGIN PGP SIGNED MESSAGE-----
On Jun 22 2002 15:13 -0500, Treptow, Craig wrote:
> I'm not sure if a denied query will give a "SERVFAIL" though.
That depends. There are two very different scenarios we have to
(1) You are asking a recursive server, which gets to the point where
all available servers refuse the queries it makes
(2) You are asking one server in particular, which refuse the query
In (1), it would be sensible to return SERVFAIL in response to the
original client's query - the server is clearly unable to answer the
question asked, and the information available is probably of little
In (2), the reasonable response to get is REFUSED, since that is
exactly what the error condition is - the client was not authorized to
ask the question, and it was refused. Note that in case (1), "client"
here refers to the recursive, possibly caching name server.
I have not read the DNS RFCs but believe that this would be codified
in them. That is, what conditions solicit what responses to the
original querying client during recursive resolution.
I really don't think most people need to limit *queries* - limiting
recursion should be enough for most.
Michael Kjörling -- Programmer/Network administrator ^..^
Internet: michael at kjorling.com -- FidoNet: 2:204/254.4 \/
PGP: 95f1 074d 336d f8f0 f297 6a5b 2aa3 7bfd 8a70 e33e
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Public key is at http://michael.kjorling.com/contact/pgp.html
-----END PGP SIGNATURE-----
More information about the bind-users