Paul Vixie wrote:
> Matthew Pounsett wrote:
> > I haven't got the time this morning to search release notes, but I'm
> > fairly sure that in 2012, when you wrote that article, current versions
> > of BIND were already handing out REFUSED to indicate "I'm not
> > authoritative for that." At the very least it began doing that not long
> > after.
>
> the implication of REFUSED is that if someone else asked this question, we
> might be able to answer. so if BIND is doing what you say, it's wrong.
In theory, any authoritative nameserver could secretly also be a
resolver that will answer from cache if the right client sends it the
same question. Does that make it OK, then?
The REFUSED RCODE is documented as:
Refused - The name server refuses to perform the specified operation
for policy reasons. For example, a name server may not wish to
provide the information to the particular requester, or a name
server may not wish to perform a particular operation (e.g., zone
transfer) for particular data.
In this case the server's policy would be that it doesn't perform a
particular operation (i.e., QUERY) for particular data (i.e., data that
it's not authoritative for).
Where does the implication that REFUSED is only appropriate if the
server might be able to answer if "someone else" asks the question come
from?
--
Robert Edmonds
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
