DNS 5 REFUSED vs 20 BADNAME
Both DNS 5 (REFUSED) and 20 (BADNAME) belong to the DNS Response Codes (RCODEs) category. 5 indicates that query refused. The name server refuses to perform the requested operation for policy reasons. Meanwhile, 20 means that duplicate key name. The key name in a TKEY negotiation is already in use or conflicts with an existing key.
Description
Query refused. The name server refuses to perform the requested operation for policy reasons.
When You See It
The server rejected your query due to access control — for example, a recursive resolver that only serves its own network, or a zone transfer blocked by ACL.
How to Fix
Check the server's allow-query, allow-recursion, or allow-transfer ACLs. If you are not authorized to use this resolver, switch to a public DNS service.
Description
Duplicate key name. The key name in a TKEY negotiation is already in use or conflicts with an existing key.
When You See It
A TKEY key establishment failed because a key with the same name already exists on the server from a previous session that was not properly cleaned up.
How to Fix
Use a unique key name for each TKEY session (e.g., append a timestamp or random suffix). Delete stale keys on the server if they are no longer needed.
Key Differences
DNS 5: Query refused. The name server refuses to perform the requested operation for policy reasons.
DNS 20: Duplicate key name. The key name in a TKEY negotiation is already in use or conflicts with an existing key.
You encounter 5 when the server rejected your query due to access control — for example, a recursive resolver that only serves its own network, or a zone transfer blocked by ACL.
You encounter 20 when a TKEY key establishment failed because a key with the same name already exists on the server from a previous session that was not properly cleaned up.
When to Use Which
For 5 (REFUSED): Check the server's allow-query, allow-recursion, or allow-transfer ACLs. If you are not authorized to use this resolver, switch to a public DNS service. For 20 (BADNAME): Use a unique key name for each TKEY session (e.g., append a timestamp or random suffix). Delete stale keys on the server if they are no longer needed.