BIND9 SERVFAIL on some .gov addresses

Ryan Novosielski novosirj at umdnj.edu
Thu Feb 10 20:39:01 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/10/2011 03:23 PM, Chuck Swiger wrote:
> On Feb 10, 2011, at 11:26 AM, Ryan Novosielski wrote:
>> dig: isc_socket_create: address family not supported
>>
>> I've read that I shouldn't let this error message lead me anywhere in
>> particular. Does anyone have some advice for where to start
>> troubleshooting?
> 
> The error message you mention is likely an attempt to do something with IPv6 addresses; perhaps your machine or your network is explicitly configured to do IPv4 only?  Does a dig against a well-known working nameserver return valid results like below?

I got the same thought, so I added:

listen-on-v6 { none; };
listen-on { any; };

...to named.conf. Same results.

Yes, the query against a well known server does work:

; <<>> DiG 9.6-ESV-R3 <<>> -t mx health.nyc.gov @4.2.2.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31921
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;health.nyc.gov.                        IN      MX

;; ANSWER SECTION:
health.nyc.gov.         746     IN      MX      10 vwall4.nyc.gov.
health.nyc.gov.         746     IN      MX      10 vwall1.nyc.gov.
health.nyc.gov.         746     IN      MX      10 vwall2.nyc.gov.
health.nyc.gov.         746     IN      MX      10 vwall3.nyc.gov.

;; Query time: 97 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Thu Feb 10 15:27:40 2011
;; MSG SIZE  rcvd: 124

Some other facts:

Our MS DNS server works (gets the above result).
DiG 9.7.0-P1 from Linux laptop work against server in question, but only
with +trace.
DiG 9.6-ESV-R3 from server sometimes times out, sometimes comes back
quickly with nothing. +trace sometimes times out, sometimes fails with
the address family response.

health.nyc.gov query-errors:

10-Feb-2011 15:32:30.682 query-errors: debug 1: client
130.219.34.129#55935: query failed (SERVFAIL) for health.nyc.gov/IN/MX
at query.c:4630
10-Feb-2011 15:32:30.682 query-errors: debug 2: fetch completed at
resolver.c:3057 for health.nyc.gov/MX in 0.000046: failure/success
[domain:nyc.GOV,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0

Other nyc.gov query-errors:

10-Feb-2011 15:32:33.720 query-errors: debug 1: client
130.219.34.129#59754: query failed (SERVFAIL) for cityhall.nyc.gov/IN/MX
at query.c:4630
10-Feb-2011 15:32:33.720 query-errors: debug 2: fetch completed at
resolver.c:3057 for cityhall.nyc.gov/MX in 0.000063: failure/success
[domain:nyc.GOV,referral:0,restar
t:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0]
10-Feb-2011 15:32:33.863 query-errors: debug 1: client
10.32.15.102#62148: query failed (SERVFAIL) for cityhall.nyc.gov/IN/MX
at query.c:4630
10-Feb-2011 15:32:33.863 query-errors: debug 2: fetch completed at
resolver.c:3057 for cityhall.nyc.gov/MX in 0.000043: failure/success
[domain:nyc.GOV,referral:0,restar
t:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0]
10-Feb-2011 15:32:33.932 query-errors: debug 1: client
10.32.15.102#55688: query failed (SERVFAIL) for vwall4.nyc.gov/IN/A at
query.c:4630
10-Feb-2011 15:32:33.932 query-errors: debug 2: fetch completed at
resolver.c:3057 for vwall4.nyc.gov/A in 0.000036: failure/success
[domain:nyc.GOV,referral:0,restart:1
,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0]
10-Feb-2011 15:32:37.580 query-errors: debug 1: client
10.32.15.102#44514: query failed (SERVFAIL) for vwall2.nyc.gov/IN/A at
query.c:4630
10-Feb-2011 15:32:37.580 query-errors: debug 2: fetch completed at
resolver.c:3057 for vwall2.nyc.gov/A in 0.000036: failure/success
[domain:nyc.GOV,referral:0,restart:1
,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0]
10-Feb-2011 15:32:37.585 query-errors: debug 1: client
10.32.15.102#40223: query failed (SERVFAIL) for vwall4.nyc.gov/IN/A at
query.c:4630
10-Feb-2011 15:32:37.585 query-errors: debug 2: fetch completed at
resolver.c:3057 for vwall4.nyc.gov/A in 0.000050: failure/success
[domain:nyc.GOV,referral:0,restart:1
,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0]

A similar failure for another domain:

10-Feb-2011 14:48:12.406 query-errors: debug 1: client
130.219.34.129#51779: query failed (SERVFAIL) for
idphdomain.idph.state.ia.us/IN/MX at query.c:4630
10-Feb-2011 14:48:12.406 query-errors: debug 1: client
130.219.34.129#51735: query failed (SERVFAIL) for
idphdomain.idph.state.ia.us/IN/MX at query.c:4630
10-Feb-2011 14:48:12.406 query-errors: debug 1: client
130.219.34.129#53507: query failed (SERVFAIL) for
idphdomain.idph.state.ia.us/IN/MX at query.c:4630
10-Feb-2011 14:48:12.406 query-errors: debug 1: client
130.219.34.129#63844: query failed (SERVFAIL) for
idphdomain.idph.state.ia.us/IN/MX at query.c:4630
10-Feb-2011 14:48:12.407 query-errors: debug 1: client
10.32.15.102#56194: query failed (SERVFAIL) for
idphdomain.idph.state.ia.us/IN/MX at query.c:4630
10-Feb-2011 14:48:12.407 query-errors: debug 1: client
130.219.34.129#54366: query failed (SERVFAIL) for
idphdomain.idph.state.ia.us/IN/MX at query.c:4630
10-Feb-2011 14:48:12.407 query-errors: debug 2: fetch completed at
resolver.c:3178 for idphdomain.idph.state.ia.us/MX in 30.000069: timed
out/success [domain:idphdomain.
idph.state.ia.us,referral:3,restart:4,qrysent:20,timeout:19,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]

- -- 
- ---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1UTOUACgkQmb+gadEcsb6WOACfQPU84FpBv4JP+v9aizxTLHVF
4WUAnRgIPxMhG5E0YbEtqw9WZjW9bFBu
=OltN
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: novosirj.vcf
Type: text/x-vcard
Size: 301 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110210/0c23af4d/attachment.vcf>

More information about the bind-users mailing list