bind 9.2.1 SERVFAIL driving me nuts

Victor Wren vwrennospam at ponyhomenospam.com
Tue Dec 16 06:51:00 UTC 2003 

I'm running out of ideas.  I have a 2.4.20 server running bind 9.2.1.
Actually, I have two servers, one of which is trouble-free, the other
of which is being a pig.  They are mutual slaves for each other's
domains.

When I check the name service on other servers, it appears to be
working (though the web checkers, like DNSReport, might be going into
recursion, which gets its answer from server number two, the good one,
and not server number one, the pig).

Starting the server shows no errors in the syslog.  Doing very simple
things like "dig @127.0.0.1 ." results in 
; <<>> DiG 9.2.1 <<>> @127.0.0.1 .
;; global options:  printcmd
;; connection timed out; no servers could be reached

I have been thinking that the firewall configuration could be the
problem, but even when I flush all the rules and set all the chains to
policy "ACCEPT" it still acts the same.  In my firewall rules, I allow
anybody to connect to port 53 by TCP or UDP.

"netstat -an"  shows the server listening on all my interfaces
udp        0      0 67.112.125.92:53        0.0.0.0:*
udp        0      0 67.112.125.91:53        0.0.0.0:*
udp        0      0 67.112.125.90:53        0.0.0.0:*
udp        0      0 172.16.24.1:53          0.0.0.0:*
udp        0      0 127.0.0.1:53            0.0.0.0:*

I can't find any problems in my named.conf.  Here's an edited section
of it:
=========================================
options {
directory "/var/named/";
auth-nxdomain yes ;
allow-query { 67.112.125.88/29; localhost; };
allow-transfer {67.116.23.64/28; localhost;};
allow-recursion { 127.0.0.1; 67.112.125.88/29; 67.116.23.64/28;
172.16.24/24;};
pid-file "/var/run/named/named.pid";
listen-on-v6 { none; };
query-source address * port 53;
};

zone "0.0.127.in-addr.arpa" {
        type master;
        file "zone/db.127.0.0";
        allow-query {any;};
        };

zone "125.112.67.in-addr.arpa" {
        type master;
        notify yes;
        file "zone/db.67.112.125.88:29";
        allow-query {any;};
        };

zone "ponyhome.com" {
        type master;
        file "zone/db.ponyhome";
        notify yes;
        allow-query {any;};
        };
=====================================================
Here is zone file "db.67.112.125.88:29"
============================
$TTL 3D
@       IN      SOA     trip.ponyhome.com. root.trip.ponyhome.com.  (
                                2003121401      ; Serial
                                8H              ; Refresh
                                4H              ; Retry
                                7D              ; Expire
                                3D )            ; Minimum

                NS      trip.ponyhome.com.
                NS      helios.timension.com.

89              PTR     gateway.ponyhome.com.
90              PTR     trip.ponyhome.com.
==================================
And here is the forward zone, "db.ponyhome":
==================================
$ORIGIN ponyhome.com.
$TTL 86400
@       IN      SOA     trip.ponyhome.com. root.trip.ponyhome.com.  (
                                2003121402      ; Serial
                                2H      ; Refresh
                                1H      ; Retry
                                7D      ; Expire
                                1D )    ; Minimum TTL

                NS      trip.ponyhome.com.
                NS      helios.timension.com.
                MX      10      trip.ponyhome.com.
                MX      20      helios.timension.com.

@               IN      A       67.112.125.90
trip            IN      A       67.112.125.90
gateway         IN      A       67.112.125.89
==================================

It IS responding nicely to all the domains that I have authority for.

For example:
 dig @67.112.125.90 wren.ponyhome.com

; <<>> DiG 9.2.1 <<>> @67.112.125.90 wren.ponyhome.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33704
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL:
1

;; QUESTION SECTION:
;wren.ponyhome.com.             IN      A

;; ANSWER SECTION:
wren.ponyhome.com.      86400   IN      CNAME   trip.ponyhome.com.
trip.ponyhome.com.      86400   IN      A       67.112.125.90

;; AUTHORITY SECTION:
ponyhome.com.           86400   IN      NS      helios.timension.com.
ponyhome.com.           86400   IN      NS      trip.ponyhome.com.

;; ADDITIONAL SECTION:
helios.timension.com.   86400   IN      A       67.116.23.65

;; Query time: 2 msec
;; SERVER: 67.112.125.90#53(67.112.125.90)
;; WHEN: Mon Dec 15 22:28:29 2003
;; MSG SIZE  rcvd: 131

============================
But if I try to look up anything not under my authority:
 dig @67.112.125.90 microsoft.com

; <<>> DiG 9.2.1 <<>> @67.112.125.90 microsoft.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16238
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;microsoft.com.                 IN      A

;; Query time: 2 msec
;; SERVER: 67.112.125.90#53(67.112.125.90)
;; WHEN: Mon Dec 15 22:30:49 2003
;; MSG SIZE  rcvd: 31
==================
Any suggestions, yelling or pointing out of stupid mistakes would be
gladly accepted.  I just can't see what I'm doing wrong, here.

Victor Wren vwren ampersand ponyhome period com

More information about the bind-users mailing list