named[1095]: error (unexpected RCODE REFUSED)

Casey Deccio casey at deccio.net
Mon May 4 15:09:13 UTC 2015 

On Mon, May 4, 2015 at 9:38 AM, Chris <cpollock at embarqmail.com> wrote:

> I've just finished setting up Bind as a local caching name server to
> work in conjunction with my Spamassassin setup. I did this because
> queries to uribl.com were getting blocked probably due to my ISPs
> reputation for spam. It seems to be working great, no more of the
> blocked queries to uribl.com however I am seeing a lot of this:
>
> error (unexpected RCODE REFUSED) resolving
> 'b4d44f4bcc9ddf0e61605920116ce915.ctyme.ixhash.net/A/IN':
> 62.75.209.50#53
> error (unexpected RCODE REFUSED) resolving 'getcreations.com/AAAA/IN':
> 192.185.149.195#53
> error (connection refused) resolving
> '185.130.201.205.dnsbl.sorbs.net/A/IN': 67.228.187.34#53
> error (connection refused) resolving
> '185.130.201.205.dnsbl.sorbs.net/A/IN': 174.36.235.174#53
>
>
> this is a query to a domain I own
>
> error (unexpected RCODE REFUSED) resolving 'toadnet.com/AAAA/IN':
> 207.218.247.135#53
>
> Do I have something in my setup incorrect?
>

Hi Chris,

The problem is not with your resolver, but with the zones/servers it is
contacting.  Take toadnet.com, for example.  The delegation records in the
.com zone are these:

$ dig +noall +authority @a.gtld-servers.net toadnet.com ns
toadnet.com.        172800    IN    NS    ns2.ev1servers.net.
toadnet.com.        172800    IN    NS    ns1.ev1servers.net.
toadnet.com.        172800    IN    NS    ns1.ecdiscounts.com.

and the authoritative records in the toadnet.com zone are these:

$ dig +noall +answer @ns1.ecdiscounts.com toadnet.com ns
toadnet.com.        86400    IN    NS    ns2.usdcservers.net.
toadnet.com.        86400    IN    NS    ns1.usdcservers.net.

But the ev1servers.net servers are not properly set up to respond for the
toadnet.com zone:

$ dig +noall +comments @ns1.ev1servers.net toadnet.com ns
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 43670
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096

In your case, looks like you probably need to clean up the delegation
records in the parent zone through your registrar to match the ones in your
child zone.  Others would need to do similarly, depending on their
situation.

Cheers,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150504/96501ccb/attachment.html>

More information about the bind-users mailing list