Hi Roger,

As far as I know, the meaning of NOTAUTH depends on the context
(see http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml).
So NOTAUTH is used here for "Not Authorized" (RFC3845).

Regards,
Daniel

On 06/14/2016 02:21 PM, Roger Murray wrote:
Hey Anand,

Thanks for the quick response.


On 13Jun, 2016, at 19:39 , Anand Buddhdev <anandb@ripe.net> wrote:

On 13/06/16 19:09, Roger Murray wrote:

Hi Roger,


I am seeing a response from a knot name server that I am working on
that has me a little confused. When I do zone transfer requests from
clients that aren’t allowed to do a zone transfer I expect to receive
rcode 5 REFUSED, but I am receiving rcode 9 NOTAUTH.

The REFUSED rcode is generally used to indicate that a server isn't
carrying the zone you queried for.

However, when a server does have a zone loaded, and can answer queries
for it, but just won't allow zone transfers, then NOTAUTH is the right
response, meaning "I have the zone, but I won't XFR it to you”.

I am digging through the RFC’s and I interpret them to as saying the exact opposite. As far as I can tell the REFUSED rcode is a refusal based on policy (RFC1035) and then that NOTAUTH rcode is that the nameserver isn’t authoritive for the queried zone (RFC2136). I am finding mixed implementation in the wild and was wondering what the knot developers based the implementation decision on.


        

          
Is this the expected behaviour? Is this configurable?


        

        
Yes it is expected behaviour, and as far as I know, it's not configurable.

Regards,
Anand


      

      
Best regards,
/rog


      

      

      

      
_______________________________________________
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users