On Mon, Nov 13, 2017 at 11:12:52AM -0800, Matthew Pounsett wrote: > I haven't got the time this morning to search release notes, but I'm fairly > sure that in 2012, when you wrote that article, current versions of BIND > were already handing out REFUSED to indicate "I'm not authoritative for > that." At the very least it began doing that not long after.
That became the default behavior in 9.4.2 in Nov 2007. (It was documented in 9.4.0 in Feb 2007, but there was a bug in how the default setting was applied.) The relevant change was the addition of the allow-query-cache ACL. The REFUSED rcode in this case doesn't mean "I'm not authoritative", it means "you're not allowed to look in my cache to see the root referral I would've sent otherwise". It'd be nice if we could use NOTAUTH for this, but that rcode didn't exist when the spec was written. REFUSED isn't an exact fit, but it's legal, sensible in context, and gets the job done. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop