SERVFAIL on a CNAME, but NOERROR when querying the CNAME itself
Mark Andrews
marka at isc.org
Thu Jun 30 10:49:07 UTC 2011
The servers for manage.logicboxes.com return SERVFAIL to A queries. Named
doesn't parse any further than seeing the SERVFAIL.
Mark
; <<>> DiG 9.6.0-APPLE-P2 <<>> ns manage.logicboxes.com @D.SERVICE.AFILIASDNS.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21867
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;manage.logicboxes.com. IN A
;; ANSWER SECTION:
manage.logicboxes.com. 14400 IN CNAME www.myorderbox.com.
;; Query time: 217 msec
;; SERVER: 2001:500:18::254#53(2001:500:18::254)
;; WHEN: Thu Jun 30 20:45:52 2011
;; MSG SIZE rcvd: 68
In message <4E0C3E1C.5040500 at mailclub.fr>, Laurent Bauer writes:
> Hello,
>
> I have a problem resolving "manage.logicboxes.com" with bind. I tried
> versions 9.7.3, 9.7.1-P2 and 9.6-ESV-R1, all of them return a SERVFAIL
> with a pretty long query time :
>
> ; <<>> DiG 9.7.1-P2 <<>> manage.logicboxes.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 13208
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;manage.logicboxes.com. IN A
>
> ;; Query time: 1246 msec
>
> Same error with "+cd" (there are no DS or signatures anywhere in the
> related zones anyway, except for .com)
> But "dig +trace" returns the correct CNAME as an answer :
> manage.logicboxes.com. 14400 IN CNAME www.myorderbox.com.
> as do every authoritative NS when querying them separately.
> Also, bind resolves the CNAME itself.
>
> Here are some debug messages, I am not sure what they exactly mean
> (particularly the "failure/success" part) :
>
> 30-Jun-2011 10:25:23.586 query-errors: debug 1: client
> 192.168.1.125#45637: query failed (SERVFAIL) for
> manage.logicboxes.com/IN/A at query.c:4651
> 30-Jun-2011 10:25:23.587 query-errors: debug 2: fetch completed at
> resolver.c:3088 for manage.logicboxes.com/A in 1.247324: failure/success
> [domain:logicboxes.com,referral:0,restart:2,qrysent:12,timeout:0,lame:0,neterr
> :0,badresp:12,adberr:0,findfail:0,valfail:0]
>
> Some other resolvers (opendns, google) return the expected answer :
> ; <<>> DiG 9.7.1-P2 <<>> manage.logicboxes.com @8.8.8.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8347
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;manage.logicboxes.com. IN A
>
> ;; ANSWER SECTION:
> manage.logicboxes.com. 12110 IN CNAME www.myorderbox.com.
> www.myorderbox.com. 84110 IN A 67.15.47.4
>
> Is bind less tolerant about some kind of setup mistake (which I don't
> get, anyway) ?
> I checked "logicboxes.com" with zonecheck, which fails because the NS IP
> addresses are not unique (and also some warnings about refresh/retry
> values and NS not answering to ICMP requests) but I don't think that
> explains my problem.
>
> Last question : is it OK that the primary server in the SOA field is
> just "." ?
> logicboxes.com. 86400 IN SOA . hostmaster.logicboxes.com. 6 900 300
> 864000 600
>
> Thanks for helping
>
> Laurent
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list