[bind10-dev] SERVFAIL vs REFUSED in case of 'no such zone'

Tony Finch dot at dotat.at
Tue Dec 7 10:55:18 UTC 2010


On Tue, 7 Dec 2010, JINMEI Tatuya / 神明達哉 wrote:
> At Mon, 6 Dec 2010 11:41:42 +0000,
> Tony Finch <dot at dotat.at> wrote:
>
> > > Opinions?
> >
> > I think it would be best to return REFUSED if the server is not configured
> > to be authoritative for the zone, and SERVFAIL if it is configured to be
> > authoritative but the configuration is broken (e.g. if a slaved zone
> > expired).
>
> May I ask you why?

That matches the definition of the response codes the best. (More precise
codes would be nice but we have to work with what we have got.)

If a zone is broken for some reason then I think it is obvious that
SERVFAIL is the right reply.

If a zone is not configured on the server then the traditional response is
a referral to the root. The current preferred policy is not to answer
these queries, which matches REFUSED best. The misdirected query is not a
problem with the server (it's a problem with the client or a misconfigured
zone elsewhere) so it doesn't match SERVFAIL.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7,
DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
ROUGH. RAIN THEN FAIR. GOOD.


More information about the bind10-dev mailing list