[bind10-dev] SERVFAIL vs REFUSED in case of 'no such zone'
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Tue Dec 7 14:03:01 UTC 2010
At Tue, 7 Dec 2010 14:32:57 +0100,
Peter Koch <pk at DENIC.DE> wrote:
> > Again, if we prefer REFUSED for the compatibility with (the most
> > typical behavior of) BIND 9, I'm fine with that. But if we want to
> > find the RCODE that best matches the situation for a pure
> > authoritative only server, I personally think SERVFAIL is a better
> > choice.
>
> FWIW, I tend to agree with Tony. First, not sending a response
> at all would be the worst option. Second, inventing a new RCODE or
> picking one that hasn't yet been used for this case (NotAuth), is likely
> to face deployment and backwards compatibility issues.
Right, I believe most if not all of us agree with these.
> On SERVFAIL vs REFUSED I understand the reasoning for BIND9 and why it
> doesn't apply similarly to BIND10. Looking at RFC 1035 might help here:
[...]
> Of course, neither code is the perfect match, since an expired zone
> isn't necessarily strictly a 'problem with the name server' and
> an unavailable zone isn't not served because of policy, but because
> data isn't available. Still, I'd see SERVFAIL for expired/not-yet-loaded
> zones and REFUSED for not configured ones.
Hmm...sounds like a matter of preference in the end:-) If many of us
prefer REFUSED for the no matching zone condition, I have no objection
to that.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
More information about the bind10-dev
mailing list