... [email protected] wrote: > I mistakenly wrote on 03/06/2013 11:36:20 AM: > >> Given that no properly configured server should be querying this > recursive >> name server for isc.org, > > I meant to describe it as an authoritative server. Duh. I'm having one of > those days.... > > Sorry for the confusion. > > So to rephrase the question... > > Is there any reason why recursive queries to an authoritative server that > would normally get a REFUSED reply shouldn't be dropped instead of getting > an answer? > > Maybe now that I've had lunch the brain will work better.
if the authority server in question is configured to be a primary or secondary server for a zone which is at or above the qname, then the correct answer is either authoritative-positive, authoritative-negative, or servfail. servfail is if the zone data source is unavailable, such as a missing primary zone file or an expired secondary zone cache file. if said authoritity server is not configured to be a primary or secondary for any zone at or above the qname, then the proper response is refused. (not an upward delegation as a i once had it in bind8 -- my apologies to all.) the reason for these differences is to help in diagnostics. recursive servers should behave reasonably, which at a minimum means, not repeating the same query immediately. this can be done with a hold-down timer or a negative cache, at the whim of the implementor. since many recursive servers and many spoofed-source ddos attackers repeat the query immediately, i'm in agreement that RRL should have a threshold for "refused". paul
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
