Unexpected "REFUSED" response.
Kevin Darcy
kcd at daimlerchrysler.com
Tue May 18 00:16:15 UTC 2004
Jim Reid wrote:
>>>>>>"Neil" == Neil W Rickert <rickert+nn at cs.niu.edu> writes:
>>>>>>
>>>>>>
>
> >> Could you have some sort of global ACL, say for
> >> allow-recursion? A
>
> Neil> I did mention in my original post, that access is restricted
> Neil> from off campus. That is done with
>
> Neil> allow-query { niu ; } ;
> Neil> allow-recursion { niu ; } ;
>
>Er, no. You didn't mention that. Until now... :-)
>
> Neil> Yes, I understand what has happened. Since max.niu.edu is a
> Neil> CNAME, these restriction deny access to a lookup of the
> Neil> CNAME destination.
>
>No! It's got nothing to do with what record types exist or don't exist
>for max.niu.edu.
>
> Neil> Access is explicitly allowed for niu.edu. So why does named
> Neil> not return the CNAME record, and set the recursion-denied
> Neil> flag to indicate why it won't look up the CNAME destination?
>
>Because you told it not to do that! Read on...
>
>BTW, there's no "recursion-denied flag". Your server returns a REFUSED
>response code when it finds the query matches some criteria that
>you've told the server are considered unwelcome. I quote from RFC2136:
>
> RCODE Response code - this four bit field is undefined in requests
> and set in responses. The values and meanings of this field
> within responses are as follows:
>
> REFUSED 5 The name server refuses to perform the
> specified operation for policy or
> security reasons.
>
>So for operational or security reasons -- your ACLs in other words --
>your server is not answering recursive queries from outside. It's not
>the server's fault that it's only doing what it was told to do rather
>than what you thought you'd told it to do.
>
Jim, BIND doesn't give REFUSED answers to queries that run afoul of an
allow-recursion ACL; in that case, BIND just declines to recurse for the
query, i.e. it'll return whatever is in the cache, but nothing more than
that.
This one is a bit of a mystery to me...
- Kevin
More information about the bind-users
mailing list