Servfail When Resolving certain domains

[Mark_Andrews at isc.org]

> > > That is why if understand why a zone forward work and a standard config.
> > > does not then I can with confidence tell them why there is a problem.
> > 
> > 	Because the standard config is expecting to be talking to servers
> > 	that are authoritative.  
> 
> If it does not will it just return a SERFAIL message?

	If *all* the servers for the zone are broken.
 
> >     When you are using a forward zone the
> > 	server is *not* expecting to be talking to a authoritative server
> > 	but rather a caching server and caching servers don't set 'aa'
> > 	whereas authoritative servers do.  
> 
> This does seem to be the case, but I was not sure that the name server HAD
> to receive an authoritative answer all the time, in order to be able to
> resolve a name. I see non authoritative answers allot, are you telling me
> that there are that many DNS server out there not configured correctly?

	Yes.  People don't look at the logs or ignore the error messages.
	Answers from a cache don't have 'aa' set.  Answers from a
	authoritative server should have 'aa' set.  The lack of 'aa'
	means that a error was detected when the zone was loaded.
	As a client we only know that there was a error and as such
	the answers we are getting back from this server may be incomplete
	therefore we should not accept them.

> >     The servers in question are
> > 	not setting 'aa' in the answers (indicating that they detected
> > 	a error on load) and named is rejecting their answers as bad.
> 
> Is their a way for the name server to accept a non authoritative answer with
> a standard configuration that uses the db.cache file?

	No.  Why would you accept known *bad* answers.

	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org