DNS 5 REFUSED vs 21 BADALG
Both DNS 5 (REFUSED) and 21 (BADALG) belong to the DNS Response Codes (RCODEs) category. 5 indicates that query refused. The name server refuses to perform the requested operation for policy reasons. Meanwhile, 21 means that algorithm not supported. The cryptographic algorithm specified in the TKEY or SIG record is not supported by the server.
الوصف
Query refused. The name server refuses to perform the requested operation for policy reasons.
متى تراه
The server rejected your query due to access control — for example, a recursive resolver that only serves its own network, or a zone transfer blocked by ACL.
كيفية الإصلاح
Check the server's allow-query, allow-recursion, or allow-transfer ACLs. If you are not authorized to use this resolver, switch to a public DNS service.
الوصف
Algorithm not supported. The cryptographic algorithm specified in the TKEY or SIG record is not supported by the server.
متى تراه
Your TKEY negotiation or DNSSEC operation requested an algorithm (e.g., HMAC-SHA512) that the server has not been compiled with or configured to accept.
كيفية الإصلاح
Use a mutually supported algorithm. HMAC-SHA256 is widely supported for TSIG; for DNSSEC, check the server's supported algorithm list with its documentation.
الفروق الرئيسية
DNS 5: Query refused. The name server refuses to perform the requested operation for policy reasons.
DNS 21: Algorithm not supported. The cryptographic algorithm specified in the TKEY or SIG record is not supported by the server.
You encounter 5 when the server rejected your query due to access control — for example, a recursive resolver that only serves its own network, or a zone transfer blocked by ACL.
You encounter 21 when your TKEY negotiation or DNSSEC operation requested an algorithm (e.g., HMAC-SHA512) that the server has not been compiled with or configured to accept.
متى تستخدم أيًا منهما
For 5 (REFUSED): Check the server's allow-query, allow-recursion, or allow-transfer ACLs. If you are not authorized to use this resolver, switch to a public DNS service. For 21 (BADALG): Use a mutually supported algorithm. HMAC-SHA256 is widely supported for TSIG; for DNSSEC, check the server's supported algorithm list with its documentation.