Unexpected "REFUSED" response.

Kevin Darcy kcd at daimlerchrysler.com
Tue May 18 00:16:15 UTC 2004 

Jim Reid wrote:

>>>>>>"Neil" == Neil W Rickert <rickert+nn at cs.niu.edu> writes:
>>>>>>            
>>>>>>
>
>    >> Could you have some sort of global ACL, say for
>    >> allow-recursion? A
>
>    Neil> I did mention in my original post, that access is restricted
>    Neil> from off campus.  That is done with
>
>    Neil> allow-query { niu ; } ; 
>    Neil> allow-recursion { niu ; } ;
>
>Er, no. You didn't mention that. Until now... :-)
>
>    Neil> Yes, I understand what has happened.  Since max.niu.edu is a
>    Neil> CNAME, these restriction deny access to a lookup of the
>    Neil> CNAME destination.
>
>No! It's got nothing to do with what record types exist or don't exist
>for max.niu.edu.
>
>    Neil> Access is explicitly allowed for niu.edu.  So why does named
>    Neil> not return the CNAME record, and set the recursion-denied
>    Neil> flag to indicate why it won't look up the CNAME destination?
>
>Because you told it not to do that! Read on...
>
>BTW, there's no "recursion-denied flag". Your server returns a REFUSED
>response code when it finds the query matches some criteria that
>you've told the server are considered unwelcome. I quote from RFC2136:
>
>   RCODE   Response code - this four bit field is undefined in requests
>           and set in responses.  The values and meanings of this field
>           within responses are as follows:
>
>              REFUSED     5       The name server refuses to perform the
>                                  specified operation for policy or
>                                  security reasons.
>
>So for operational or security reasons -- your ACLs in other words --
>your server is not answering recursive queries from outside. It's not
>the server's fault that it's only doing what it was told to do rather
>than what you thought you'd told it to do.
>
Jim, BIND doesn't give REFUSED answers to queries that run afoul of an 
allow-recursion ACL; in that case, BIND just declines to recurse for the 
query, i.e. it'll return whatever is in the cache, but nothing more than 
that.

This one is a bit of a mystery to me...


                                                                         
                                                      - Kevin

More information about the bind-users mailing list