On 01/07/2025 10:05, Neil Nie (NSB) wrote: Hi Neil,
I found that bind9 (as forwarder) always overwrite rcode refused to rcode servfail. For one use-case, the dns client wants to get original rcode (like refused). Please advise if there is any config or method to achieve that.
A resolver tries to resolve a query on behalf of its client. The resolver may face any number of problems in trying to get the answer. An upstream authoritative server could return REFUSED (meaning, it doesn't have the zone configured). The upstream authoritative server could just fail to respond, resulting in a timeout. Or there could be DNSSEC validation failures. After the resolver has tried everything it can to resolve a query, the only sane thing it can return to the client is SERVFAIL, meaning "I tried everything to resolve your query, but was unable to". It cannot return REFUSED, because REFUSED from a resolver to a client means something else, ie "I refuse to resolve this query for you".
Regards, Anand -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
