[nsd-users] REFUSED vs SERVFAIL

Anand Buddhdev anandb at ripe.net
Mon Jan 20 15:07:42 UTC 2014

On 20/01/2014 15:27, Miek Gieben wrote:

>> How do resolvers react to SERVFAIL versus REFUSED, is there a
>> difference in behaviour? Intuitively I would assume that upon
>> SERVFAIL a resolver would retry with another authoritative
>> nameserver for the zone in question, with REFUSED I'm not
>> so sure, do resolvers give up immediately or retry as well?
> I think this difference is mostly important for monitoring tools.

Miek is right. As far as I know, well-written resolvers treat REFUSED
and SERVFAIL the same way, ie. they move on to another servers for the zone.

But monitoring tools get confused. Since we have so many zones
configured on our systems, we have scripts that query our name servers
for all the zones, and look at the response code to figure out what has
happened to a zone (did it fail to get provisioned, or has it expired?)
So the distinction of REFUSED vs SERVFAIL is important to us.


