dig with status: REFUSED

Mark_Andrews at isc.org Mark_Andrews at isc.org
Thu Nov 20 00:02:45 UTC 2003 

> 
> > 
> > From: Edvard Tuinder <listbind at lunytune.nl>
> > Date: 2003/11/19 Wed AM 11:05:12 EST
> > To: aabouk01 at fiu.edu
> > CC: bind-users at isc.org
> > Subject: Re: dig with status: REFUSED
> > 
> > According to aabouk01 at fiu.edu:
> > > What would cause a query to come back with a refused status?
> > > I can query the zone on some nameservers with no issues, but
> > > on others i not able to. The domain i'm working with is
> > > bernuth.com Could this simply be the changes have not propagated
> > > to all nameservers or I have an issue on my zone configuration?
> > 
> > No, not all nameservers allow you to use them as recursive nameservers.
> > The REFUSED return code may be due to that.
> > 
> > If you want to verify the setup of your domain, check on www.dnsreport.com.
> > That site will perform various sanity checks on your domain.
> > 
> > But to answer your question partially, the setup of your domain is not
> > correct. According to the gtld-servers the nameservers are ns.fbsims.com
> > and ns1.fbsims.com. The first (ns.fbsims) is setup correct, but the second
> > is not answering correctly, but returning SERV-FAIL, which usually indicate
> s
> > that it is not able to transfer the zone from the primary.
> > 
> > Furthermore the NS list as returned by ns.fbsims.com is not correct, as it
> > only lists itself as nameserver and not also ns1.
> > 
> > Your TTL's are also very high. That is not very usefull. Usually something
> > like 1 day or maybe 1 week is more than enough.
> > 
> > -Ed
> > 
> > 
> 
> 
> 
> 
> Here is the output from dig
> 
> dig @165.87.194.244 bernuth.com
> 
> ; <<>> DiG 9.2.1 <<>> @165.87.194.244 bernuth.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55046
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;bernuth.com.			IN	A
> 
> ;; Query time: 60 msec
> ;; SERVER: 165.87.194.244#53(165.87.194.244)
> ;; WHEN: Wed Nov 19 16:18:22 2003
> ;; MSG SIZE  rcvd: 29
> 
> 
> 
> 
> I figured a good starting point would be to fix the errors that are reported 
> by www.dnsreport.com. 
> 
>       FAIL Missing nameservers 2 ERROR:
> 
>       One or more of the nameservers listed at the parent             
>       servers are not listed as NS records at your 
>       nameservers. The problem NS records are:
>       ns.fbsims.com.
> 
> Would this mean that i am missing an NS record on both servers or just ns.fbs
> ims.com? I'm not understanding the meaning of this error since now an NS reco
> rd exists on both servers.
> 
> 
> Thanks!
> 
> Alain
> 
> 
> 

	The first thing to correct is the fbsims.com zone.  Once that
	has been done you can look at the other zones hosted on
	ns.fbsims.com and ns1.fbsims.com.

	Mark


; <<>> DiG 9.2.3 <<>> axfr fbsims.com @208.153.106.5
;; global options:  printcmd
fbsims.com.		86400	IN	SOA	ns.fbsims.com. root.ns.fbsims.com. 2003111905 3600 300 1209600 86400

	You really should have multiple nameservers for this zone.
	When you have a second server configured add a NS record referring
	to it and update your delegation information with the registrar.

fbsims.com.		86400	IN	NS	ns.fbsims.com.
ns.fbsims.com.		86400	IN	A	208.153.106.5
fbsims.com.		86400	IN	A	208.153.106.2
fbsims.com.		86400	IN	MX	0 mail.fbsims.com.
rsfbs.fbsims.com.	86400	IN	A	208.153.106.2
flov.fbsims.com.	86400	IN	A	208.153.106.78
vip.fbsims.com.		86400	IN	A	208.153.106.55
wwid4.fbsims.com.	86400	IN	A	208.153.106.102
net3.fbsims.com.	86400	IN	A	208.153.106.159
fbs.fbsims.com.		86400	IN	A	208.153.106.3
net4.fbsims.com.	86400	IN	A	208.153.106.152
net5.fbsims.com.	86400	IN	A	208.153.106.151
h50.fbsims.com.		86400	IN	A	208.153.106.254
h50.fbsims.com.		86400	IN	MX	0 mail.h50.fbsims.com.
mail.h50.fbsims.com.	86400	IN	A	208.153.106.254
www.h50.fbsims.com.	86400	IN	CNAME	h50.fbsims.com.
sheri.fbsims.com.	86400	IN	A	208.153.106.129
net6.fbsims.com.	86400	IN	A	208.153.106.251

	The comment character in zone files is ";" not "#".

#ns.fbsims.com.		86400	IN	NS	fbsims.fbsims.com.
mail.fbsims.com.	86400	IN	A	208.153.106.2
vip1.fbsims.com.	86400	IN	A	208.153.106.155
int2.fbsims.com.	86400	IN	A	208.153.106.54
www.fbsims.com.		86400	IN	CNAME	fbsims.com.
nt-work.fbsims.com.	86400	IN	A	208.153.106.198
int3.fbsims.com.	86400	IN	A	208.153.106.53
wwid1.fbsims.com.	86400	IN	A	208.153.106.99
miag.fbsims.com.	86400	IN	A	208.153.106.243
fbsnt.fbsims.com.	86400	IN	MX	0 fbsnt.fbsims.com.
fbsnt.fbsims.com.	86400	IN	A	208.153.106.72
fbsl.fbsims.com.	86400	IN	A	208.153.106.244
fbs1000.fbsims.com.	86400	IN	A	208.153.106.215
241.fbsims.com.		86400	IN	A	208.153.106.241
wwid2.fbsims.com.	86400	IN	A	208.153.106.100
mias1.fbsims.com.	86400	IN	A	208.153.106.71

	This should be a A record not a NS record.

ns1.fbsims.com.		86400	IN	NS	68.216.33.5.fbsims.com.

	Nobody uses MB records.   If you are attempting to add MX records
	for every existing name is the zone wildcard record will NOT
	do what you want.  Wildcard records only match NAMES that DO NOT
	EXIST.

*.fbsims.com.		86400	IN	MB	mail.fbsims.com.
*.fbsims.com.		86400	IN	MB	mail.h50.fbsims.com.
wwid3.fbsims.com.	86400	IN	A	208.153.106.101

	DELETE THIS RECORD.  You already have a A record for ns.fbsims.com.

ns.fbsims.com.		86400	IN	NS	208.153.106.5.fbsims.com.
net2.fbsims.com.	86400	IN	A	208.153.106.149
fbsims.com.		86400	IN	SOA	ns.fbsims.com. root.ns.fbsims.com. 2003111905 3600 300 1209600 86400
;; Query time: 623 msec
;; SERVER: 208.153.106.5#53(208.153.106.5)
;; WHEN: Thu Nov 20 10:58:04 2003
;; XFR size: 42 records

--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list