[bind10-dev] SERVFAIL vs REFUSED in case of 'no such zone'

JINMEI Tatuya / 神明達哉 jinmei at isc.org
Tue Dec 7 14:03:01 UTC 2010


At Tue, 7 Dec 2010 14:32:57 +0100,
Peter Koch <pk at DENIC.DE> wrote:

> > Again, if we prefer REFUSED for the compatibility with (the most
> > typical behavior of) BIND 9, I'm fine with that.  But if we want to
> > find the RCODE that best matches the situation for a pure
> > authoritative only server, I personally think SERVFAIL is a better
> > choice.
> 
> FWIW, I tend to agree with Tony.  First, not sending a response
> at all would be the worst option. Second, inventing a new RCODE or
> picking one that hasn't yet been used for this case (NotAuth), is likely
> to face deployment and backwards compatibility issues.

Right, I believe most if not all of us agree with these.

> On SERVFAIL vs REFUSED I understand the reasoning for BIND9 and why it
> doesn't apply similarly to BIND10. Looking at RFC 1035 might help here:
[...]
> Of course, neither code is the perfect match, since an expired zone
> isn't necessarily strictly a 'problem with the name server' and
> an unavailable zone isn't not served because of policy, but because
> data isn't available.  Still, I'd see SERVFAIL for expired/not-yet-loaded
> zones and REFUSED for not configured ones.

Hmm...sounds like a matter of preference in the end:-)  If many of us
prefer REFUSED for the no matching zone condition, I have no objection
to that.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.



More information about the bind10-dev mailing list