[nsd-users] REFUSED vs SERVFAIL

Lukas Wunner lukas at wunner.de
Mon Jan 20 14:04:04 UTC 2014


> To me, BIND and Knot's responses seem more logical. They distinguish
> between the cases where a zone has simply not been configured, versus
> the case where the zone has gone bad for some reason. With NSD, one
> can't tell. Is there a reason NSD returns SERVFAIL for unconfigured zones?

How do resolvers react to SERVFAIL versus REFUSED, is there a
difference in behaviour? Intuitively I would assume that upon
SERVFAIL a resolver would retry with another authoritative
nameserver for the zone in question, with REFUSED I'm not
so sure, do resolvers give up immediately or retry as well?

If resolvers give up immediately with REFUSED, then NSD's
behaviour would actually be very sensible. Imagine a scenario
where zone deployment to authoritative nameservers went awry,
e.g. one nameserver wasn't reachable when a new zone was deployed.
I'd much rather answer with SERVFAIL in such a scenario,
directing resolvers to the other authoritative nameservers.

Tried to look up in RFC 1035 how resolvers behave upon REFUSED
but I find the language in section 7.2 to be somewhat ambiguous:

   - If a resolver gets a server error or other bizarre response
     from a name server, it should remove it from SLIST, and may
     wish to schedule an immediate transmission to the next
     candidate server address.

Kind regards,


More information about the nsd-users mailing list