BIND9 SERVFAIL on some .gov addresses
Chuck Swiger
cswiger at mac.com
Thu Feb 10 21:19:21 UTC 2011
On Feb 10, 2011, at 12:39 PM, Ryan Novosielski wrote:
> health.nyc.gov query-errors:
>
> 10-Feb-2011 15:32:30.682 query-errors: debug 1: client
> 130.219.34.129#55935: query failed (SERVFAIL) for health.nyc.gov/IN/MX
> at query.c:4630
> 10-Feb-2011 15:32:30.682 query-errors: debug 2: fetch completed at
> resolver.c:3057 for health.nyc.gov/MX in 0.000046: failure/success
> [domain:nyc.GOV,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0
The adberr count looks like it can only be incremented by two code sections in lib/dns/resolver.c:
if (result != ISC_R_SUCCESS) {
if (result == DNS_R_ALIAS) {
/*
* XXXRTH Follow the CNAME/DNAME chain?
*/
dns_adb_destroyfind(&find);
fctx->adberr++;
}
}
[ ...and... ]
if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0)
fctx->lamecount++; /* cached lame server */
else
fctx->adberr++; /* unreachable server, etc. */
This implies a connectivity issue between your client and the nyc.gov nameservers, I think.
But there are local wizards lurking who are much more familiar with the code than I....
For the other example:
> resolver.c:3178 for idphdomain.idph.state.ia.us/MX in 30.000069: timed
> out/success [domain:idphdomain.
> idph.state.ia.us,referral:3,restart:4,qrysent:20,timeout:19,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
I get no response either. I'd imagine a delegation problem somewhere in the list of domains, although if you poke around, you can find servers which will answer and claim no MX records exist:
% dig -t ns idphdomain.idph.state.ia.us @dns1.uiowa.edu
; <<>> DiG 9.6.3 <<>> -t ns idphdomain.idph.state.ia.us @dns1.uiowa.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38483
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;idphdomain.idph.state.ia.us. IN NS
;; AUTHORITY SECTION:
idph.state.ia.us. 28800 IN NS cyclone.idph.state.ia.us.
idph.state.ia.us. 28800 IN NS hawkeye.idph.state.ia.us.
idph.state.ia.us. 28800 IN NS panther.idph.state.ia.us.
[ ... ]
% dig -t mx idphdomain.idph.state.ia.us @cyclone.idph.state.ia.us
; <<>> DiG 9.6.3 <<>> -t mx idphdomain.idph.state.ia.us @cyclone.idph.state.ia.us
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58256
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;idphdomain.idph.state.ia.us. IN MX
;; AUTHORITY SECTION:
idphdomain.idph.state.ia.us. 86400 IN NS idphadc4.idphdomain.idph.state.ia.us.
idphdomain.idph.state.ia.us. 86400 IN NS w2k8dc1.idphdomain.idph.state.ia.us.
idphdomain.idph.state.ia.us. 86400 IN NS w2k8dc2.idphdomain.idph.state.ia.us.
idphdomain.idph.state.ia.us. 86400 IN NS idphadc1.idphdomain.idph.state.ia.us.
idphdomain.idph.state.ia.us. 86400 IN NS idphadc2.idphdomain.idph.state.ia.us.
idphdomain.idph.state.ia.us. 86400 IN NS idphadc3.idphdomain.idph.state.ia.us.
[ ... ]
Regards,
--
-Chuck
More information about the bind-users
mailing list