Another Question about SERVFAIL

b19141 at anl.gov b19141 at anl.gov
Tue May 25 20:24:54 UTC 2010 

One of our networking personnel is trying to access

     ftp.cisco.com

and is unable to do so from Argonne.  He has no problem from home,
(Comcast).  The Comcast DNS servers are

     68.87.72.134
     68.87.77.134

and report that they are running "Nominum Vantio 4.2.1.0" (about which
I know very little).

My DNS servers are running BIND 9.7.0-P1.  I did some DNS queries here
and I have made comments after each DNS query.

Are my comments and suppositions correct?
===============================================================
dnsserver% dig ftp.cisco.com  

; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61726
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp.cisco.com.                 IN      A

;; Query time: 177 msec
;; SERVER: 146.139.254.5#53(146.139.254.5)
;; WHEN: Tue May 18 11:01:45 2010
;; MSG SIZE  rcvd: 31

dnsserver% 

Note the SERVFAIL response.  BIND detects that something is wrong.
===============================================================
dnsserver% dig cisco.com ns 

; <<>> DiG 9.7.0-P1 <<>> cisco.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52864
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;cisco.com.                     IN      NS

;; ANSWER SECTION:
cisco.com.              38065   IN      NS      ns1.cisco.com.
cisco.com.              38065   IN      NS      ns2.cisco.com.

;; ADDITIONAL SECTION:
ns1.cisco.com.          2668    IN      A       128.107.241.185
ns2.cisco.com.          2831    IN      A       64.102.255.44

;; Query time: 1 msec
;; SERVER: 146.139.254.5#53(146.139.254.5)
;; WHEN: Tue May 18 14:08:01 2010
;; MSG SIZE  rcvd: 95

dnsserver% 

There are two authoritative name servers for cisco.com .
===============================================================
dnsserver% dig ftp.cisco.com @ns1.cisco.com.

; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @ns1.cisco.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33283
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;ftp.cisco.com.                 IN      A

;; ANSWER SECTION:
ftp.cisco.com.          60      IN      A       198.133.219.241

;; AUTHORITY SECTION:
ftp.cisco.com.          86400   IN      NS      rtp5-ddir-ns.cisco.com.
ftp.cisco.com.          86400   IN      NS      sjce-ddir-ns.cisco.com.

;; ADDITIONAL SECTION:
rtp5-ddir-ns.cisco.com. 86400   IN      A       64.102.255.39
sjce-ddir-ns.cisco.com. 86400   IN      A       128.107.240.86

;; Query time: 60 msec
;; SERVER: 128.107.241.185#53(128.107.241.185)
;; WHEN: Tue May 18 14:08:21 2010
;; MSG SIZE  rcvd: 133

dnsserver% 

This response (from one of the two name servers) has problems.

1) There is an answer, but without the "aa" (authoritative answer)
   flag, the response appears to be coming from the cache.

2) The authority section lists the two nameservers that are
   authoritative for the zone ftp.cisco.com.

3) I am not a DNS expert, but with "ra" (recursion available) and
   "rd" (recursion desired) both set, I would expect my query to
   recurse to a name server that will return an authoritative answer.
   Or, since I sent the request to a specific name server, that
   server would return no answers but a referral to the authoritative
   name servers.
===============================================================
dnsserver% dig ftp.cisco.com @rtp5-ddir-ns.cisco.com.

; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @rtp5-ddir-ns.cisco.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13745
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp.cisco.com.                 IN      A

;; ANSWER SECTION:
ftp.cisco.com.          60      IN      A       198.133.219.241

;; Query time: 288 msec
;; SERVER: 64.102.255.39#53(64.102.255.39)
;; WHEN: Tue May 18 14:08:46 2010
;; MSG SIZE  rcvd: 47

dnsserver% 
dnsserver% dig ftp.cisco.com @sjce-ddir-ns.cisco.com.

; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3781
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp.cisco.com.                 IN      A

;; ANSWER SECTION:
ftp.cisco.com.          60      IN      A       198.133.219.241

;; Query time: 219 msec
;; SERVER: 128.107.240.86#53(128.107.240.86)
;; WHEN: Tue May 18 14:09:12 2010
;; MSG SIZE  rcvd: 47

dnsserver% 

Here I queried both supposedly authoritative name servers, and 
from each I get a non-authoritative answer.  When I did the same
query yesterday afternoon, neither of these two name servers was
accessible.

I assume that with BIND 9.7.0-P1, if the response is not
authoritative, then BIND will not trust the answer.
===============================================================

----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8             Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list