[nsd-users] REFUSED vs SERVFAIL
wouter at nlnetlabs.nl
Mon Jan 20 15:17:12 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 01/20/2014 04:07 PM, Anand Buddhdev wrote:
> On 20/01/2014 15:27, Miek Gieben wrote:
>>> How do resolvers react to SERVFAIL versus REFUSED, is there a
>>> difference in behaviour? Intuitively I would assume that upon
>>> SERVFAIL a resolver would retry with another authoritative
>>> nameserver for the zone in question, with REFUSED I'm not so
>>> sure, do resolvers give up immediately or retry as well?
>> I think this difference is mostly important for monitoring
> Miek is right. As far as I know, well-written resolvers treat
> REFUSED and SERVFAIL the same way, ie. they move on to another
> servers for the zone.
> But monitoring tools get confused. Since we have so many zones
> configured on our systems, we have scripts that query our name
> servers for all the zones, and look at the response code to figure
> out what has happened to a zone (did it fail to get provisioned, or
> has it expired?) So the distinction of REFUSED vs SERVFAIL is
> important to us.
Out analysis at NLnet Labs agrees, we'll implement REFUSED for
out-of-zone queries. (in future releases). The major implementations
behaving the same on the wire is good. We think for monitoring it may
be useful. We think for resolvers it makes little to no difference
(for unbound there is no difference, it becomes SERVFAIL to unbound's
clients if only out-of-zone servers exist).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the nsd-users