Tony Finch wrote:
Paul Vixie<p...@redbarn.org> wrote:
Ray Bellis wrote:
Won't that cause the resolver to cycle through every root server letter
hoping for one that doesn't give that answer?
yes. that's what REFUSED is taken to mean, and also, why we never use it for
data-dependent conditions. only the initiator's identity matters in the
consideration of whether to transmit REFUSED or not.
That's not entirely true - if you are asking an authoritative-only server
then you get REFUSED or not depending on whether the QNAME is in an
authoritative zone.
that's what this group has reached consensus on in recent months, yes.
to me that's a servfail condition, because the initiator may have better
knowledge than the server operator. i can re-quote the scriptures on
this point if my non-participation in the recent consensus seems
unjustified.
servfail and refused are equivalent in one sense: the proper reaction to
either is to remove that server from consideration for that query (retry
won't help), and to perhaps keep it out of consideration for similar
queries (same apparent bailiwick) for some holddown period.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
