Is there any method/config to pass through rcode refused
Anand Buddhdev
anandb at ripe.net
Tue Jul 1 08:30:47 UTC 2025
On 01/07/2025 10:05, Neil Nie (NSB) wrote:
Hi Neil,
> I found that bind9 (as forwarder) always overwrite rcode refused to
> rcode servfail. For one use-case, the dns client wants to get original
> rcode (like refused). Please advise if there is any config or method to
> achieve that.
A resolver tries to resolve a query on behalf of its client. The
resolver may face any number of problems in trying to get the answer. An
upstream authoritative server could return REFUSED (meaning, it doesn't
have the zone configured). The upstream authoritative server could just
fail to respond, resulting in a timeout. Or there could be DNSSEC
validation failures. After the resolver has tried everything it can to
resolve a query, the only sane thing it can return to the client is
SERVFAIL, meaning "I tried everything to resolve your query, but was
unable to". It cannot return REFUSED, because REFUSED from a resolver to
a client means something else, ie "I refuse to resolve this query for you".
Regards,
Anand
More information about the bind-users
mailing list