[SOLVED] Re: BIND9 SERVFAIL on some .gov addresses

Mark Andrews marka at isc.org
Wed Feb 23 00:57:02 UTC 2011 

In message <0539E64AD2B54AD2804C2394F923800B at se179>, "Shaoquan Lin" writes:
> Mark,
> 
> Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3?  My problem is that I
> can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from 
> b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older BINDs like
> 9.3.  I don't know if the problem is with the authoritative nameservers for 
> gov or the nameservers for nyc.gov or with the BIND I am using.  I noticed 
> the following:

Just fix your firewalls to allow EDNS responses through.  While
this is a bug in the authoritative servers / interpretation of
RFC 1034, its only a issue because your firewall configuration
is a decade out of date that it is a problem.

> 1). a.gov-servers.net  or b.gov-servers.net  does provide A records in the 
> additional records of their responses for other subdomain under gov like 
> treas.gov, just not nyc.gov.  So the problem seems with nameservers for 
> nyc.gov.  The problem is relatively new and there might be some recent 
> changes on nyc.gov.

The gov servers will return glue if you let bigger answers than 512 bytes
through your firewall.

; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50028
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;vwall4a.nyc.gov.		IN	A

;; AUTHORITY SECTION:
nyc.gov.		86400	IN	NS	vwall1a.nyc.gov.
nyc.gov.		86400	IN	NS	vwall2a.nyc.gov.
nyc.gov.		86400	IN	NS	vwall3a.nyc.gov.
nyc.gov.		86400	IN	NS	vwall4a.nyc.gov.
rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8 4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS
rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400 20110227210022 20110222210022 47602 gov. ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8 JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA 1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9 CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg==

;; ADDITIONAL SECTION:
vwall1a.nyc.gov.	86400	IN	A	161.185.1.3
vwall2a.nyc.gov.	86400	IN	A	161.185.1.12
vwall3a.nyc.gov.	86400	IN	A	167.153.130.12
vwall4a.nyc.gov.	86400	IN	A	167.153.130.13

;; Query time: 187 msec
;; SERVER: 209.112.123.30#53(209.112.123.30)
;; WHEN: Wed Feb 23 11:54:06 2011
;; MSG SIZE  rcvd: 574
 
> 2) Older version of Binds (like 9.3) seems able to resolve vwall4a.nyc.gov 
> as shown the packets I captured in my previous e-mail.
> 
> What options in named.conf I can use to set "tc"?
> 
> Thank you.
> 
> Shaoquan Lin
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list