Re: axfr-clarify supporting unauthorized users

[Greg Hudson <ghudson@MIT.EDU>]

On Fri, 2002-11-29 at 13:03, D. J. Bernstein wrote:
> On the contrary. I agree that FIN is, in this context, not a
> particularly _informative_ error message, but REFUSED and SERVFAIL
> aren't particularly informative either; they carry only marginally more
> information than FIN. Anyone who doesn't understand why his AXFR attempt
> was rejected will have to ask the server administrator.

If you receive a REFUSED message from the server, there is pretty much
only one explanation: the server doesn't have you configured as an
authorized secondary.

If the connection is closed, there are several explanations: the server
is djbdns and doesn't have you configured as an authorized secondary,
the server process crashed and the kernel closed the connection, the
server is running through a misconfigured inetd or tcpserver.

I don't think a reasonable implementor can construe a TCP FIN as an
error message.

> Anyway, as an unauthorized user, you have no right to ask for AXFR in
> the first place, let alone demand an answer, let alone demand an
> _informative_ answer.

You say this a lot, but you're only considering one possible case: the
requestor is a twit with no legitimate relationship to the primary.  A
more interesting case is when the primary or secondary is accidentally
misconfigured.

Contrary to what you've said before, making it easier to detect common
misconfigurations is an important aspect of interoperability.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>