Frequent SERVFAIL: "nameservers now above QDOMAIN" (BIND 9.5.0-P2)

[Bart Van den Broeck]

Hello all


We are experiencing frequent SERVFAIL errors when recursively resolving names in 
certain external zones, e.g. the zone su.se, on our BIND 9.5.0-P2 nameservers. 
A failing query seems to go well until the response with the authoritative 
nameservers for the zone is received.  Then, at debug level 3, we see the 
following message in the log file:

fctx 0x4a5ab808(ns.su.se/A'): nameservers now above QDOMAIN

When the query happens to succeed, this message is not logged.  A network trace 
shows, however, that the response received by our nameserver is in both cases 
identical (except for order)!  Apparently, for an unknown reason, BIND sometimes 
seems to give up early and returns SERVFAIL instead of doing the final query.

Possibly even stranger is the fact that flushing the cache of the nameserver 
solves the problem for a while.

Does anybody have any idea on the cause or any suggestions to debug this 
further?  Could this be related to the caching issue mentioned in the last 
message in the thread "Re: LRU fail after switch 9.4.1 -> 9.5.0p1 ?" 
(<http://marc.info/?l=bind-users&m=122123729916850&w=2>)?  (Cache is at the 
default settings.)


Kind regards
Bart Van den Broeck
-- K.U.Leuven - ICTS - ICT Infrastructuur - Netwerken (aka KULeuvenNet)-