[nsd-users] REFUSED vs SERVFAIL

W.C.A. Wijngaards wouter at nlnetlabs.nl
Mon Jan 20 15:17:12 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 01/20/2014 04:07 PM, Anand Buddhdev wrote:
> On 20/01/2014 15:27, Miek Gieben wrote:
> 
>>> How do resolvers react to SERVFAIL versus REFUSED, is there a 
>>> difference in behaviour? Intuitively I would assume that upon 
>>> SERVFAIL a resolver would retry with another authoritative 
>>> nameserver for the zone in question, with REFUSED I'm not so
>>> sure, do resolvers give up immediately or retry as well?
>> 
>> I think this difference is mostly important for monitoring
>> tools.
> 
> Miek is right. As far as I know, well-written resolvers treat
> REFUSED and SERVFAIL the same way, ie. they move on to another
> servers for the zone.
> 
> But monitoring tools get confused. Since we have so many zones 
> configured on our systems, we have scripts that query our name
> servers for all the zones, and look at the response code to figure
> out what has happened to a zone (did it fail to get provisioned, or
> has it expired?) So the distinction of REFUSED vs SERVFAIL is
> important to us.

Out analysis at NLnet Labs agrees, we'll implement REFUSED for
out-of-zone queries.  (in future releases).  The major implementations
behaving the same on the wire is good.  We think for monitoring it may
be useful.  We think for resolvers it makes little to no difference
(for unbound there is no difference, it becomes SERVFAIL to unbound's
clients if only out-of-zone servers exist).

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS3T34AAoJEJ9vHC1+BF+NdGQP/27Wcn2uUSHVYnN5AUsmCAaU
D6EX6gj/x7BiUWWVaV9vC6Jx9tQ0/X5mJgdOWU0FovzfNVt23izojpiHfaXLQ01v
lCaLkz6sFocModdMhPH5MVpiOqLU0LxqTLrUJ+sWGd/t0DXzJ8RbfnTrbqtRpUl2
WIbb6zR5JwTo/JAYEwiO+r17KP8x4X5Ww9lAhdORZsy7U/icQ62Pg9+wmy+18X76
RVkSymgqBs3sXMmNXPZ+BN0jksnJEmgG2SFJpR201wwjkSL+34smgA3GaWlGw8nJ
STEYwiCUo6IomMpiWVGL6YUatEhU3goiGt0WFj4BAvcWpzTFiBHzHETBcN/0uzDw
s4Hh+XWuaSmAcjaAH6E7fIu/SkaqIE4DloGr7GzJNOn8bvRXPM+ll4kII5lPGGLD
D1XRNdLTnoKBxCOYGcI2U15NQ/TQ8v3bGO5tEywQWNKATWyd2AoMHE1cYcJvpADr
DH72pCqMj283h3yKD6FlF0cu4F+56p2ZsKvKeX3Z6cm8HeZaj+oeOEqmmDGbX0Zi
teHvWXomprUhbUsRDQ4Kc9BG+D8QlU0OMbqayRDxkrnTczl/PmhIFTQhMS26FFB3
T/m0BxMf8AzU68j4fspdjhxunNc9IOLYT5pqkP9PALAQvCLAWhsfvYp53dnPPsUz
LqX63/nc06x1leg088/8
=18nw
-----END PGP SIGNATURE-----



More information about the nsd-users mailing list