SERVFAIL

bsfinkel at anl.gov bsfinkel at anl.gov
Wed Sep 10 15:02:39 UTC 2008 

I wrote:
>> In response to a posting "Re: Two DNS Servers inside a firewall"
>> Mark Andrews wrote on September 5:
>>
>>   
>>> 	Below is a example of such a bad delegation.  The last SOA
>>> 	record should be owned by www.lawlink.nsw.gov.au not
>>> 	lawlink.nsw.gov.au.  It results in SERVFAIL being returned.
>>>
>>> 	Mark
>>>
>>>
>>> ; <<>> DiG 9.3.4-P1 <<>> aaaa www.lawlink.nsw.gov.au
>>> ;; global options:  printcmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56606
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;www.lawlink.nsw.gov.au.		IN	AAAA
>>>
>>> ;; Query time: 63 msec
>>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>>> ;; WHEN: Fri Sep  5 12:01:30 2008
>>> ;; MSG SIZE  rcvd: 40
>>>
>>> ; <<>> DiG 9.3.4-P1 <<>> www.lawlink.nsw.gov.au aaaa +trace
>>> ;; global options:  printcmd
>>> .			440024	IN	NS	h.root-servers.net.
>>> .			440024	IN	NS	d.root-servers.net.
>>> .			440024	IN	NS	g.root-servers.net.
>>> .			440024	IN	NS	i.root-servers.net.
>>> .			440024	IN	NS	b.root-servers.net.
>>> .			440024	IN	NS	l.root-servers.net.
>>> .			440024	IN	NS	m.root-servers.net.
>>> .			440024	IN	NS	e.root-servers.net.
>>> .			440024	IN	NS	f.root-servers.net.
>>> .			440024	IN	NS	a.root-servers.net.
>>> .			440024	IN	NS	j.root-servers.net.
>>> .			440024	IN	NS	c.root-servers.net.
>>> .			440024	IN	NS	k.root-servers.net.
>>> ;; Received 504 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms
>>>
>>> au.			172800	IN	NS	ns1.audns.net.au.
>>> au.			172800	IN	NS	dns1.telstra.net.
>>> au.			172800	IN	NS	sec1.apnic.net.
>>> au.			172800	IN	NS	sec3.apnic.net.
>>> au.			172800	IN	NS	adns1.berkeley.edu.
>>> au.			172800	IN	NS	adns2.berkeley.edu.
>>> au.			172800	IN	NS	audns.optus.net.
>>> au.			172800	IN	NS	aunic.aunic.net.
>>> ;; Received 430 bytes from 2001:500:1::803f:235#53(h.root-servers.net) in 244 ms
>>>
>>> lawlink.nsw.gov.au.	3600	IN	NS	ns3.uecomm.net.au.
>>> lawlink.nsw.gov.au.	3600	IN	NS	ns1.uecomm.net.au.
>>> lawlink.nsw.gov.au.	3600	IN	NS	ns2.uecomm.net.au.
>>> ;; Received 105 bytes from 58.65.255.73#53(ns1.audns.net.au) in 42 ms
>>>
>>> www.lawlink.nsw.gov.au.	3600	IN	NS	ns1.lawlink.nsw.gov.au.
>>> www.lawlink.nsw.gov.au.	3600	IN	NS	ns2.lawlink.nsw.gov.au.
>>> ;; Received 108 bytes from 203.94.128.54#53(ns1.uecomm.net.au) in 39 ms
>>>
>>> lawlink.nsw.gov.au.	86400	IN	SOA	lawlink.nsw.gov.au. administrator.lawlink.nsw.gov.au. 998545544 28800 7200 604800 86400
>>> ;; Received 144 bytes from 203.3.186.53#53(ns1.lawlink.nsw.gov.au) in 32 ms
>>>     
>>
>>
>> I have a user who cannot resolve
>>
>>      www.flickr.com
>>
>> The name server I am querying is 9.5.0-P1 (to be updated to a patched
>> P2 tomorrow).  When I query at one of the autoritative name servers,
>> I get:
>>
>>      oberon% dig www.flickr.com @ns1.yahoo.com.
>>
>>      ; <<>> DiG 8.3 <<>> www.flickr.com @ns1.yahoo.com.
>>      ; (1 server found)
>>      ;; res options: init recurs defnam dnsrch
>>      ;; got answer:
>>      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
>>      ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
>>      ;; QUERY SECTION:
>>      ;;      www.flickr.com, type = A, class = IN
>>
>>      ;; ANSWER SECTION:
>>      www.flickr.com.         5M IN CNAME     www.flickr.vip.mud.yahoo.com.
>>      www.flickr.vip.mud.yahoo.com.  15M IN A  68.142.214.24
>>
>>      ;; AUTHORITY SECTION:
>>      mud.yahoo.com.          2D IN NS        ns1.yahoo.com.
>>      mud.yahoo.com.          2D IN NS        ns2.yahoo.com.
>>      mud.yahoo.com.          2D IN NS        ns3.yahoo.com.
>>      mud.yahoo.com.          2D IN NS        ns4.yahoo.com.
>>      mud.yahoo.com.          2D IN NS        ns5.yahoo.com.
>>
>>      ;; ADDITIONAL SECTION:
>>      ns1.yahoo.com.          2D IN A         66.218.71.63
>>      ns2.yahoo.com.          2D IN A         68.142.255.16
>>      ns3.yahoo.com.          2D IN A         217.12.4.104
>>      ns4.yahoo.com.          2D IN A         68.142.196.63
>>      ns5.yahoo.com.          30M IN A        119.160.247.124
>>
>>      ;; Total query time: 64 msec
>>      ;; FROM: oberon.it.anl.gov to SERVER: ns1.yahoo.com.  66.218.71.63
>>      ;; WHEN: Tue Sep  9 13:25:03 2008
>>      ;; MSG SIZE  sent: 32  rcvd: 257
>>
>>      oberon%
>>
>> but a general query results in SERVFAIL:
>>
>>      oberon% dig www.flickr.com
>>
>>      ; <<>> DiG 8.3 <<>> www.flickr.com
>>      ;; res options: init recurs defnam dnsrch
>>      ;; got answer:
>>      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2
>>      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>      ;; QUERY SECTION:
>>      ;;      www.flickr.com, type = A, class = IN
>>
>>      ;; Total query time: 9 msec
>>      ;; FROM: oberon.it.anl.gov to SERVER: default -- 146.139.254.5
>>      ;; WHEN: Tue Sep  9 13:22:46 2008
>>      ;; MSG SIZE  sent: 32  rcvd: 32
>>
>>      oberon%
>>
>> I notice that when I query one of the authoritative name servers I
>> get
>>
>>      ;; ANSWER SECTION:
>>      www.flickr.com.         5M IN CNAME     www.flickr.vip.mud.yahoo.com.
>>      www.flickr.vip.mud.yahoo.com.  15M IN A  68.142.214.24
>>
>>      ;; AUTHORITY SECTION:
>>      mud.yahoo.com.          2D IN NS        ns1.yahoo.com.
>>      mud.yahoo.com.          2D IN NS        ns2.yahoo.com.
>>      mud.yahoo.com.          2D IN NS        ns3.yahoo.com.
>>      mud.yahoo.com.          2D IN NS        ns4.yahoo.com.
>>      mud.yahoo.com.          2D IN NS        ns5.yahoo.com.
>>
>> Is the SERVFAIL because I queried
>>
>>      flickr.com
>>
>> and the authority is
>>
>>      mud.yahoo.com ?
>>   


And Kevin Darcy replied:
>No, that's perfectly normal. CNAMEs point to names in other domains all 
>the time. The only thing slightly unusual here is that the nameservers 
>for flickr.com also happen to be authoritative for the zone which 
>contains the target of the alias (www.flickr.vip.mud.yahoo.com) and are 
>therefore able to provide the A record without any further need for 
>referral-chasing. But that's _relatively_ normal too.
>> If not, then why am I getting SERVFAIL?  Thanks.
>>   
>Does a dig +trace for www.flickr.com work?
>
>If you have port and/or source-address restrictions in named.conf, make 
>sure you're using the same port and/or source-address for your test 
>queries. Otherwise it's not really a valid test.
>
>If you're still getting SERVFAIL for your regular queries, but not for 
>your test queries, dump your cache and see if maybe you're trying to use 
>some bad/stale/obsolete cached glue/referral data in order to resolve 
>the name.

I did an "rndc dumpdb", and I did not see any stale glue in the cache.
But I am not sure exactly for what to search.

I have no port and/or source-address restrictions in named.conf.
When I do the "dig www.flickr.com" on my two external DNS servers
(both 9.5.0-P2 with Jinmei's dumpdb patch) the queries succeed.
When I issue the command on my two internal DNS servers (one the
patched -P2 and one still 9.5.0-P1), both servers give SERVFAIL.
I looked at the source code (query.c) yesterday, and there are 23
cases for SERVFAIL.  Before some of the SERVFAIL lines I see

     CTRACE("...");

How do I enable this tracing?  Or is there another way to determine
which SERVFAIL code is matching in query.c?
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list