Stumped - SERVFAIL vs NOERROR?
Mark Andrews
marka at isc.org
Wed Apr 27 13:40:42 UTC 2011
In message <1303906294.2246.93.camel at karl>, Karl Auer writes:
>
> Hi all.
>
> Well, I'm stumped.
>
> This is causing non-delivery of mail for the affected domain because it
> is blocking fallback from IPv6 to IPv4 for the domain. The problem
> smells like misconfigured IPv6 somewhere along the way, but all the
> servers involved (that have IPv6 addresses) seem to be answering OK.
The SMTP server will be failing on the MX lookup if it is following
the RFCs. A and AAAA should only be looked up after getting a
NODATA response to a MX query.
> Using our local caching, recursive BIND9 nameservers, we get SERVFAIL on
> a particular domain, namely "mailergoat.rsi.co.jp". But from other
> places, we get NOERROR (which is the correct answer, because there is a
> A record with that name). However, from some places outside our network
> we also get SERVFAIL.
The nameservers for mailergoat.rsi.co.jp are broken. They return
the *wrong* SOA record in the response which can clearly be seen at
the end of a "dig +trace mailergoat.rsi.co.jp mx".
mailergoat.rsi.co.jp. 600 IN NS gtm1.rsi.co.jp.
mailergoat.rsi.co.jp. 600 IN NS gtm2.rsi.co.jp.
;; Received 108 bytes from 202.248.0.34#53(ns.center.web.ad.jp) in 304 ms
rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60
;; Received 90 bytes from 202.25.214.15#53(gtm2.rsi.co.jp) in 395 ms
The correct SOA record would be "mailergoat.rsi.co.jp 60 IN SOA
gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60"
all other things being equal.
> Traces (using the +trace option to dig) are identical regardless of
> where we do them, besides some reordering of the nameserver results,
> which is normal.
>
> One oddity (at least it seems odd to me) is that a trace ends with two
> nameservers, gtm1.rsi.co.jp and gtm2.rsi.co.jp, that are not present in
> the nameserver list for rsi.co.jp, meaning that the domain
> mailergoat.rsi.co.jp has been delegated to them. When I ask either of
> those servers directly for the nameserver records for
> mailergoat.rsi.co.jp, I get NOERROR, but no answer. Asking those servers
> for "ANY" records for that name shows an A record and a TXT (SPF) record
> only. That makes this a lame delegation - but why do some recursive
> nameservers report it as SERVFAIL and some as NOERROR? A difference
> between nameservers, or nameserver versions?
Different tolerances for errors.
Adding a MX record here will help. One really shouldn't be depending
apon the implicit MX records generated from the A and AAAA records.
> Any ideas gratefully received. See below for dig outputs demonstrating
> the above statements.
>
> Regards, K.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list