Unexpected "REFUSED" response.

Neil W Rickert rickert+nn at cs.niu.edu
Sun May 16 17:15:18 UTC 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Queries are restricted to campus-access, except for domain for which
the server is authoritative.  The server is running bind-9.2.3

The domain is NIU.EDU.

Its configuration for this domain:

	zone "niu.edu" in {
		type slave ;
		file "cache/niu.DOM" ;
		masters { 131.156.1.11 ; } ;
		allow-query { any ; } ;
	} ;

A query from off-campus resulted in the unexpected:

; <<>> DiG 9.2.3 <<>> @mp.cs.niu.edu max.niu.edu
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 65093
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;max.niu.edu.                   IN      A

If I repeate the query, but with "+norec" on the command line (to
turn off recursion), I get:

;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30026
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;max.niu.edu.                   IN      A

;; ANSWER SECTION:
max.niu.edu.            86400   IN      CNAME   max.forlangs.net.

When the query is made from on-campus, the result is

;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18977
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;max.niu.edu.                   IN      A

;; ANSWER SECTION:
max.niu.edu.            86400   IN      CNAME   max.forlangs.net.

;; AUTHORITY SECTION:
forlangs.net.           10800   IN      SOA     wolf.niu.edu. root.wolf.niu.edu. 40 7200 3600 604800 86400

The response to the initial query seems wrong to me.  I am posting
here (via the usenet gateway) rather than the bugs address, because I
am not quite sure whether it is a bug.

I would have expected the answer to be the same as for the second
query, but with the "recursion denied" flag set.  The fact that there
is a negative response in cache for the CNAME destination should not,
in my opinion, have the effect of causing a REFUSED response to the
original lookup.

I'm interested in any comments.  Preferably send comment to the
mailing list, where I will read them via usenet.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SunOS)

iD8DBQFAp6GjvmGe70vHPUMRAgeoAKDgER5zPQaS4QkdGT+CvZCKUXMk7ACeOU7D
z8MpJRwZKTROoErjxq0mooI=
=3ag+
-----END PGP SIGNATURE-----

More information about the bind-users mailing list