[bind10-dev] SERVFAIL vs REFUSED in case of 'no such zone'

JINMEI Tatuya / 神明達哉 jinmei at isc.org
Tue Dec 7 13:06:39 UTC 2010 

At Tue, 7 Dec 2010 10:55:18 +0000,
Tony Finch <dot at dotat.at> wrote:

> > May I ask you why?
> 
> That matches the definition of the response codes the best. (More precise
> codes would be nice but we have to work with what we have got.)
> 
> If a zone is broken for some reason then I think it is obvious that
> SERVFAIL is the right reply.
> 
> If a zone is not configured on the server then the traditional response is
> a referral to the root. The current preferred policy is not to answer
> these queries, which matches REFUSED best.

Hmm, in the case of BIND 9, what it internally does actually matches
the response code of REFUSED: If a BIND 9 server cannot find an
authoritative zone for a query name, it tries to use the cache, but
the today's typical configuration for an "authoritative-only" server
doesn't allow arbitrary clients to use the cache, it results in
REFUSED.

But in BIND 10, the authoritative server will be "pure authoritative",
that is, it doesn't have a cache, so there's actually nothing to
refuse.  In fact, even with BIND 9, if we allow using the cache but
configure the server with a bogus root hint (so nothing can actually
be cached), "no matching zone" will result in SERVFAIL.

> The misdirected query is not a
> problem with the server (it's a problem with the client or a misconfigured
> zone elsewhere) so it doesn't match SERVFAIL.

I suspect there are cases that can be considered a problem of the
responding server.  For example, you might type
zone "example.comm" { // which should actually be "example.com"
...
};
and keep running the server without noticing the initial warning
messages.

So, while there may be a case where REFUSED most matches the
situation, I don't think it's always the only feasible code.  And,
that will be more subtle when we consider a "pure authoritative"
server.

Again, if we prefer REFUSED for the compatibility with (the most
typical behavior of) BIND 9, I'm fine with that.  But if we want to
find the RCODE that best matches the situation for a pure
authoritative only server, I personally think SERVFAIL is a better
choice.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.

More information about the bind10-dev mailing list