[SOLVED] Re: BIND9 SERVFAIL on some .gov addresses

Shaoquan Lin lin at ccny.cuny.edu
Fri Feb 18 20:54:58 UTC 2011 

Ryan,

Have you solved your problem?  I have similar problems. I run BIND 9.6..1-P3 on my Solaris 10 and can not resolve anything in domain nyc.gov.  One thing I noticed is:  BIND 9.3 send query to b.gov-servers.net with no Additional records and got a response with  A records for the nyc.gov NS servers in the Additional records; but BIND 9.6 send query with type OPT Additional records and got a response with also a type OPT but no A in the Additional records.  So the BIND 9.6 can not find the IP addresses of the nyc.gov NS servers and therefore can not resolve anything in that domain.  Using options "max-udp-size  512" and "edns-udp-size  512"  does not solve the  problem.

The following are the what I captured.  Anyone have any suggestions to solve the problem?          

Shaoquan Lin

BIND 9.3 query:
Domain Name System (query)

Transaction ID: 0x94ca

Flags: 0x0000 (Standard query)

0... .... .... .... = Response: Message is a query

.000 0... .... .... = Opcode: Standard query (0)

.... ..0. .... .... = Truncated: Message is not truncated

.... ...0 .... .... = Recursion desired: Don't do query recursively

.... .... .0.. .... = Z: reserved (0)

.... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable

Questions: 1

Answer RRs: 0

Authority RRs: 0

Additional RRs: 0

Queries

vwall4a.nyc.gov: type A, class IN

Name: vwall4a.nyc.gov

Type: A (Host address)

Class: IN (0x0001)

BIND 9.3 response:

Domain Name System (response)

Transaction ID: 0x94ca

Flags: 0x8000 (Standard query response, No error)

1... .... .... .... = Response: Message is a response

.000 0... .... .... = Opcode: Standard query (0)

.... .0.. .... .... = Authoritative: Server is not an authority for domain

.... ..0. .... .... = Truncated: Message is not truncated

.... ...0 .... .... = Recursion desired: Don't do query recursively

.... .... 0... .... = Recursion available: Server can't do recursive queries

.... .... .0.. .... = Z: reserved (0)

.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server

.... .... .... 0000 = Reply code: No error (0)

Questions: 1

Answer RRs: 0

Authority RRs: 4

Additional RRs: 4

Queries

vwall4a.nyc.gov: type A, class IN

Name: vwall4a.nyc.gov

Type: A (Host address)

Class: IN (0x0001)

Authoritative nameservers

nyc.gov: type NS, class IN, ns vwall1a.nyc.gov

Name: nyc.gov

Type: NS (Authoritative name server)

Class: IN (0x0001)

Time to live: 1 day

Data length: 10

Name server: vwall1a.nyc.gov

nyc.gov: type NS, class IN, ns vwall2a.nyc.gov

Name: nyc.gov

Type: NS (Authoritative name server)

Class: IN (0x0001)

Time to live: 1 day

Data length: 10

Name server: vwall2a.nyc.gov

nyc.gov: type NS, class IN, ns vwall3a.nyc.gov

Name: nyc.gov

Type: NS (Authoritative name server)

Class: IN (0x0001)

Time to live: 1 day

Data length: 10

Name server: vwall3a.nyc.gov

nyc.gov: type NS, class IN, ns vwall4a.nyc.gov

Name: nyc.gov

Type: NS (Authoritative name server)

Class: IN (0x0001)

Time to live: 1 day

Data length: 10

Name server: vwall4a.nyc.gov

Additional records

vwall1a.nyc.gov: type A, class IN, addr 161.185.1.3

Name: vwall1a.nyc.gov

Type: A (Host address)

Class: IN (0x0001)

Time to live: 1 day

Data length: 4

Addr: 161.185.1.3

vwall2a.nyc.gov: type A, class IN, addr 161.185.1.12

Name: vwall2a.nyc.gov

Type: A (Host address)

Class: IN (0x0001)

Time to live: 1 day

Data length: 4

Addr: 161.185.1.12

vwall3a.nyc.gov: type A, class IN, addr 167.153.130.12

Name: vwall3a.nyc.gov

Type: A (Host address)

Class: IN (0x0001)

Time to live: 1 day

Data length: 4

Addr: 167.153.130.12

vwall4a.nyc.gov: type A, class IN, addr 167.153.130.13

Name: vwall4a.nyc.gov

Type: A (Host address)

Class: IN (0x0001)

Time to live: 1 day

Data length: 4

Addr: 167.153.130.13

BIND 9.6 query:

Domain Name System (query)

Transaction ID: 0x6427

Flags: 0x0000 (Standard query)

0... .... .... .... = Response: Message is a query

.000 0... .... .... = Opcode: Standard query (0)

.... ..0. .... .... = Truncated: Message is not truncated

.... ...0 .... .... = Recursion desired: Don't do query recursively

.... .... .0.. .... = Z: reserved (0)

.... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable

Questions: 1

Answer RRs: 0

Authority RRs: 0

Additional RRs: 1

Queries

vwall4a.nyc.gov: type A, class IN

Name: vwall4a.nyc.gov

Type: A (Host address)

Class: IN (0x0001)

Additional records

<Root>: type OPT

Name: <Root>

Type: OPT (EDNS0 option)

UDP payload size: 512

Higher bits in extended RCODE: 0x0

EDNS0 version: 0

Z: 0x8000

Bit 0 (DO bit): 1 (Accepts DNSSEC security RRs)

Bits 1-15: 0x0 (reserved)

Data length: 0

BIND 9.6 response:

Domain Name System (response)

Transaction ID: 0x6427

Flags: 0x8000 (Standard query response, No error)

1... .... .... .... = Response: Message is a response

.000 0... .... .... = Opcode: Standard query (0)

.... .0.. .... .... = Authoritative: Server is not an authority for domain

.... ..0. .... .... = Truncated: Message is not truncated

.... ...0 .... .... = Recursion desired: Don't do query recursively

.... .... 0... .... = Recursion available: Server can't do recursive queries

.... .... .0.. .... = Z: reserved (0)

.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server

.... .... .... 0000 = Reply code: No error (0)

Questions: 1

Answer RRs: 0

Authority RRs: 6

Additional RRs: 1

Queries

vwall4a.nyc.gov: type A, class IN

Name: vwall4a.nyc.gov

Type: A (Host address)

Class: IN (0x0001)

Authoritative nameservers

nyc.gov: type NS, class IN, ns vwall1a.nyc.gov

Name: nyc.gov

Type: NS (Authoritative name server)

Class: IN (0x0001)

Time to live: 1 day

Data length: 10

Name server: vwall1a.nyc.gov

nyc.gov: type NS, class IN, ns vwall2a.nyc.gov

Name: nyc.gov

Type: NS (Authoritative name server)

Class: IN (0x0001)

Time to live: 1 day

Data length: 10

Name server: vwall2a.nyc.gov

nyc.gov: type NS, class IN, ns vwall3a.nyc.gov

Name: nyc.gov

Type: NS (Authoritative name server)

Class: IN (0x0001)

Time to live: 1 day

Data length: 10

Name server: vwall3a.nyc.gov

nyc.gov: type NS, class IN, ns vwall4a.nyc.gov

Name: nyc.gov

Type: NS (Authoritative name server)

Class: IN (0x0001)

Time to live: 1 day

Data length: 10

Name server: vwall4a.nyc.gov

rq2651faaj4nen6tfis8ju5005qccn8j.gov: type Unknown (50), class IN

Name: rq2651faaj4nen6tfis8ju5005qccn8j.gov

Type: Unknown (50)

Class: IN (0x0001)

Time to live: 1 day

Data length: 35

Data

rq2651faaj4nen6tfis8ju5005qccn8j.gov: type RRSIG, class IN

Name: rq2651faaj4nen6tfis8ju5005qccn8j.gov

Type: RRSIG (RR signature)

Class: IN (0x0001)

Time to live: 1 day

Data length: 279

Type covered: Unknown (50)

Algorithm: Unknown (0x07)

Labels: 2

Original TTL: 1 day

Signature expiration: Feb 22, 2011 05:00:22.000000000

Time signed: Feb 17, 2011 05:00:22.000000000

Id of signing key(footprint): 47602

Signer's name: gov

Signature

Additional records

<Root>: type OPT

Name: <Root>

Type: OPT (EDNS0 option)

UDP payload size: 1472

Higher bits in extended RCODE: 0x0

EDNS0 version: 0

Z: 0x0

Data length: 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110218/0172b461/attachment.html>

More information about the bind-users mailing list