[bind10-dev] SERVFAIL vs REFUSED in case of 'no such zone'

[JINMEI Tatuya / 神明達哉]

b10-auth currently returns a REFUSED error if it cannot find an
authoritative zone in its data sources.  According to a follow-up
comment to a trac ticket (http://bind10.isc.org/ticket/415#comment:4),
the intent seems to be compatible with BIND 9's (typical) behavior.

In the case of BIND 9, the REFUSED means the client is not allowed to
use the cache, not the direct result of failing to find an
authoritative zone.  In fact, if we configure BIND 9 to allow using
the cache but with a bogus root hint, we'll see a SERVFAIL response.

Since b10-auth is not supposed to do recursion or have a cache,
returning SERVFAIL seems to me a more sensible response.  I'm not sure
if providing BIND 9 compatibility is crucial here, but some other
authoritative server implementations that are not so minor return
SERVFAIL, I suspect there's no impact on recursive servers in
practice.

I'm okay with keeping the compatibility if others want so,
however. (in that case we should clearly document why we do so because
the response itself may be counter intuitive).

Opinions?

p.s. there was a thread about this exact topic at the IETF
namedroppers ML:
http://www.ietf.org/mail-archive/web/namedroppers/current/msg07483.html
There doesn't seem to be any consensus at that time.

---
JINMEI, Tatuya