From NOERROR to REFUSED

Mar 2, 2015

Back in 2011, in the work leading up to the biggest release of the Authoritative Server so far (3.0, with DNSSEC), in an attempt to bring the rcode for a ‘dangling CNAME’ in line with BIND, by accident the rcode for ‘we have no idea about this zone at all’ was also changed to NOERROR. This mostly went unnoticed; we got the occasional question about this behaviour, and always reassured people that this new behaviour was correct. We are aware of other (minority) auths that also do this. We still hold the position that this behaviour is correct, by the way.

However, the DNS landscape is changing. More and more parties are doing their own authoritative DNS implementations, or are buying expensive load balancers on which DNS was an afterthought. Many of these products send bogus replies to any questions that are weird to them (AAAA; EDNS; uppercase names; you name it, some vendor will have broken it). Specifically, it is now common for broken auths to respond with an empty, non-authoritative (AA=0), NOERROR reply when asked for AAAA. This reply is indistinguishable from a PowerDNS auth saying ‘this zone is unknown to me’!

As a result of this, some implementers of recursive servers (notably Google Public DNS, notably not the PowerDNS Recursor) have chosen to treat this reply as NODATA instead of ‘this server is lame’. This means that if one of your PowerDNS auths loses a zone (or a whole database, or any other number of operator errors), Google Public DNS will take your ‘i dunno’ for ‘definitely not’, breaking your zone!

Given all this, while we are confident that our approach since 3.0 is valid, we have decided to change our behaviour, and from now on the PowerDNS Authoritative Server will send REFUSED replies to any questions for unknown zones. This change will also be in Authoritative Server 3.4.3, released today.

Should you currently be affected by this incompatibility between your pre-3.4.3 auth and Google Public DNS or another recursor that misunderstands these replies, then you can use send-root-referral=lean to confuse the resolver into thinking you are lame for a zone. Do note that OARC recommends against this, and indeed recommends REFUSED, which PowerDNS has now switched to.

About the author

Peter van Dijk

Peter van Dijk

Senior Developer at PowerDNS

Related Articles

PowerDNS Authoritative Server 4.9.2

This is release 4.9.2 of the Authoritative Server. It contains a collection of small fixes. A detailed list of changes can...

Peter van Dijk Oct 1, 2024

PowerDNS Authoritative Server 4.9.1

This is release 4.9.1 of the Authoritative Server. It contains a collection of small fixes. A detailed list of changes can...

Peter van Dijk May 28, 2024

PowerDNS Authoritative Server 4.9.0

This is release 4.9.0 of the Authoritative Server. It brings a few new features, and a collection of small improvements and...

Peter van Dijk Mar 15, 2024

PowerDNS Authoritative Server 4.9.0-beta2

This is release 4.9.0-beta2 (beta1 was not released, due to a tagging mistake) of the Authoritative Server. It brings a few...

Peter van Dijk Feb 16, 2024