Cannot resolve outside my TLD - all others give SERVFAIL

Chris C chrisc at optonline.net
Wed Apr 28 20:55:26 UTC 2010 

Hello,

Has anyone ran into something like this?

I am running the following version of Bind:

BIND 9.6.2-P1-RedHat-9.6.2-3.P1 built with
'--host=x86_64-redhat-linux-gnu' '--build=x86_64-redhat-linux-gnu'
'--target=x86_64-redhat-linux' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/usr/com' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var'
'--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static'
'--disable-openssl-version-check' '--with-dlz-ldap=yes'
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego'
'CFLAGS= -O2 -g -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
'CXXFLAGS=-O2 -g -m64 -mtune=generic' 'FFLAGS=-O2 -g -m64
-mtune=generic' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux'


This instance is used as a caching resolver with blacklists.  The
blacklists are fed what is basically a null.zone file.

IE.
$TTL    86400   ; one day

@       IN      SOA     dnsbl0.xxx.xxx.      hostmaster.xxx.xxx. (
                        2010030900       ; serial number YYMMDDNN
                        28800   ; refresh  8 hours
                        7200    ; retry    2 hours
                        864000  ; expire  10 days
                        86400 ) ; min ttl  1 day
                NS      dnsbl0.xxx.gov.
                NS      dnsbl1.xxx.gov.
                NS      dnsbl2.xxx.gov.

		A	127.0.0.3

*		IN      A       127.0.0.3


There are approx. 172K zones for the blacklist.

Recently the system would give out SERVFAIL for all queries outside my
TLD.  Anything inside my TLD works fine.

If I drop the blacklists (say to 50K), it works fine.  I am trying to
find that magic number in which the failures start to occur, but the
daemon takes about 15-20 minutes for a restart.  I will post that once
obtained.

Here is the output:

# dig +trace @localhost www.google.com

; <<>> DiG 9.6.2-P1-RedHat-9.6.2-3.P1 <<>> +trace @localhost www.google.com
; (1 server found)
;; global options: +cmd
.			517976	IN	NS	d.root-servers.net.
.			517976	IN	NS	g.root-servers.net.
.			517976	IN	NS	k.root-servers.net.
.			517976	IN	NS	i.root-servers.net.
.			517976	IN	NS	a.root-servers.net.
.			517976	IN	NS	h.root-servers.net.
.			517976	IN	NS	e.root-servers.net.
.			517976	IN	NS	j.root-servers.net.
.			517976	IN	NS	f.root-servers.net.
.			517976	IN	NS	c.root-servers.net.
.			517976	IN	NS	b.root-servers.net.
.			517976	IN	NS	l.root-servers.net.
.			517976	IN	NS	m.root-servers.net.
;; Received 500 bytes from 127.0.0.1#53(127.0.0.1) in 46 ms

com.			172800	IN	NS	m.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
;; Received 492 bytes from 128.8.10.90#53(d.root-servers.net) in 11 ms

;; connection timed out; no servers could be reached
#



regards,

Chris

More information about the bind-users mailing list