SERVFAIL with ocsp.entrust.net.

Fr34k freaknetboy at yahoo.com
Tue Apr 24 14:56:04 UTC 2012 

Perhaps provide the ocsp.entrust.net folks 3rd party evaluation tool(s) to identify areas of concerns?

For example, here are two:

http://www.dnsvalidation.com/reports/4f96bdec7d79ee78db000044

http://www.intodns.com/ocsp.entrust.net
These find more than one critical item to fix.

Why is everyone else in the worldgetting NOERROR?  In my experience, BIND is less forgiving for configuration related-issues than some of DNS peers out there.

Hope this helps.




>________________________________
> From: "Bischof, Ralph F. (MSFC-IS40)[NICS]" <ralph.bischof at nasa.gov>
>To: "bind-users at lists.isc.org" <bind-users at lists.isc.org> 
>Sent: Tuesday, April 24, 2012 10:06 AM
>Subject: SERVFAIL with ocsp.entrust.net.
> 
>Hello,
>
>    I have been trying to find out why my caching servers are giving SERVFAIL as an answer for any type of query except for an A record for the domain in the subject. Whether I try a AAAA, TXT, SOA, PTR, TXT, etc, I get a SERVFAIL answer. Yet, it seems that anyone else in the world is getting NOERROR. Now, when I direct the query to the Microsoft DNS servers (8.8.8.8), I also get NOERROR. I have tried different versions of clients (9.4.3-P5 and 9.6-ESV-R4-P3) and get the same response, so I do not think that is the issue.
>
>    When I use a 'dig +trace', the end of the chain shows a server that does not exist in the last answer consisting of the SOA record. In fact, since Sungard is involved, the whole chain makes no sense to me. I have edited out the extra stuff, but here is what I try to do.
>
>First, here is the 'dig +trace' with an A query. I left out the list of the root and gtld servers. 
>[bischrf at nsc1 ~]$ dig +trace ocsp.entrust.net. a
>;; Received 300 bytes from 192.149.130.101#53(192.149.130.101) in 0 ms
>;; Received 491 bytes from 192.5.5.241#53(f.root-servers.net) in 26 ms
>
>entrust.net.            172800  IN      NS      secondary-ns1.allstream.com.
>entrust.net.            172800  IN      NS      secondary-ns2.allstream.com.
>entrust.net.            172800  IN      NS      ns1.entrust.net.
>entrust.net.            172800  IN      NS      ns2.entrust.net.
>;; Received 203 bytes from 192.42.93.30#53(g.gtld-servers.net) in 115 ms
>
>ocsp.entrust.net.       7200    IN      NS      gns1.sungardns.com.
>ocsp.entrust.net.       7200    IN      NS      gns2.sungardns.com.
>;; Received 85 bytes from 216.13.122.23#53(secondary-ns1.allstream.com) in 120 ms
>
>ocsp.entrust.net.       30      IN      A       216.191.247.139
>;; Received 50 bytes from 207.19.96.22#53(gns1.sungardns.com) in 109 ms
>------------------------
>Then a 'dig +trace' looking for the AAAA record.
>[bischrf at nsc1 ~]$ dig +trace ocsp.entrust.net. aaaa
>;; Received 344 bytes from 192.149.130.101#53(192.149.130.101) in 0 ms
>;; Received 491 bytes from 199.7.83.42#53(l.root-servers.net) in 160 ms
>
>entrust.net.            172800  IN      NS      secondary-ns1.allstream.com.
>entrust.net.            172800  IN      NS      secondary-ns2.allstream.com.
>entrust.net.            172800  IN      NS      ns1.entrust.net.
>entrust.net.            172800  IN      NS      ns2.entrust.net.
>;; Received 203 bytes from 192.26.92.30#53(c.gtld-servers.net) in 34 ms
>
>ocsp.entrust.net.       7200    IN      NS      gns1.sungardns.com.
>ocsp.entrust.net.       7200    IN      NS      gns2.sungardns.com.
>;; Received 85 bytes from 216.191.247.202#53(ns2.entrust.net) in 125 ms
>
>entrust.net.            60      IN      SOA    phlig3.oamp.sgns.net. hostmaster.phlig3.oamp.sgns.net. 42 10800 3600 604800 60
>;; Received 98 bytes from 207.19.96.22#53(gns1.sungardns.com) in 111 ms
>NOTE: phlig3.oamp.sgns.net does not exist.
>----------------------------------
>
>Here is the query that works.
>[bischrf at nsc1 ~]$ dig ocsp.entrust.net. a
>
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29329
>;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>
>;; ANSWER SECTION:
>ocsp.entrust.net.       24      IN      A       216.191.247.203
>
>;; AUTHORITY SECTION:
>ocsp.entrust.net.       1675    IN      NS      gns1.sungardns.com.
>ocsp.entrust.net.       1675    IN      NS      gns2.sungardns.com.
>---------------------------
>
>Now a AAAA query. Note there is no authority.
>[bischrf at nsc1 ~]$ dig ocsp.entrust.net. aaaa
>
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20073
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>--------------------------
>
>So now I try to follow the chain. 
>1) Query entrust.net. for the NS records. I get 4.
>[bischrf at nsc1 ~]$ dig entrust.net. ns
>
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17958
>;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
>
>;; ANSWER SECTION:
>entrust.net.            1617    IN      NS      ns2.entrust.net.
>entrust.net.            1617    IN      NS      secondary-ns1.allstream.com.
>entrust.net.            1617    IN      NS      ns1.entrust.net.
>entrust.net.            1617    IN      NS      secondary-ns2.allstream.com.
>---------------------
>
>2) I pick one of those and ask for the NS records for ocsp.entrust.net.
>[bischrf at nsc1 ~]$ dig @ns1.entrust.net. ocsp.entrust.net. ns
>
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7029
>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
>;; WARNING: recursion requested but not available
>
>;; AUTHORITY SECTION:
>ocsp.entrust.net.       7200    IN      NS      gns1.sungardns.com.
>ocsp.entrust.net.       7200    IN      NS      gns2.sungardns.com.
>----------------------
>
>3) I pick one of those and try a AAAA query.
>[bischrf at nsc1 ~]$ dig @gns1.sungardns.com. ocsp.entrust.net. aaaa
>
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4292
>;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>;; WARNING: recursion requested but not available
>
>;; AUTHORITY SECTION:
>entrust.net.            60      IN      SOA     phlig3.oamp.sgns.net. hostmaster.phlig3.oamp.sgns.net. 42 10800 3600 604800 60
>------------------------------
>
>Note above that I do get an authority, yet the MNAME does not exist. In fact, when I direct a query to the Microsoft DNS server for the record "phlig3.oamp.sgns.net", I get a SERVFAIL.
>[bischrf at nsc1 ~]$ dig @8.8.8.8 phlig3.oamp.sgns.net.
>
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58650
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>-------------------------------
>
>So I try to find what is up with that record and I end up with a dead end at the NS records for oamp.sgns.net. I find the NS records, but I cannot get an IP for either one of them.
>[bischrf at nsc1 ~]$ dig sgns.net. ns
>
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19454
>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>
>;; ANSWER SECTION:
>sgns.net.               1779    IN      NS      ns2.sungardns.com.
>sgns.net.               1779    IN      NS      ns1.sungardns.com.
>-------------------------------------------
>[bischrf at nsc1 ~]$ dig @ns2.sungardns.com. oamp.sgns.net. ns
>
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64087
>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
>;; WARNING: recursion requested but not available
>
>;; AUTHORITY SECTION:
>oamp.sgns.net.          3600    IN      NS      phlnn1.oamp.sgns.net.
>oamp.sgns.net.          3600    IN      NS      hounn1.oamp.sgns.net.
>------------------------------
>[bischrf at nsc1 ~]$ dig @ns2.sungardns.com. phlnn1.oamp.sgns.net.
>
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25825
>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
>;; WARNING: recursion requested but not available
>
>;; AUTHORITY SECTION:
>oamp.sgns.net.          3600    IN      NS      phlnn1.oamp.sgns.net.
>oamp.sgns.net.          3600    IN      NS      hounn1.oamp.sgns.net.
>-------------------------------------
>[bischrf at nsc1 ~]$ dig @ns2.sungardns.com. hounn1.oamp.sgns.net. 
>
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56868
>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
>;; WARNING: recursion requested but not available
>
>;; AUTHORITY SECTION:
>oamp.sgns.net.          3600    IN      NS      phlnn1.oamp.sgns.net.
>oamp.sgns.net.          3600    IN      NS      hounn1.oamp.sgns.net.
>---------------------------
>
>    I did talk with both Sungard and Entrust on what I found and they sent me an email that they fixed "something" last night. How can I troubleshoot more why my servers are reporting SERVFAIL for any non-A types for this domain where it seems that everyone else in the world is getting NOERROR? Thank you for reading this far and any help that you can provide.
>
>
>Thank you,
>Ralph F. Bischof, Jr.
>NASA Agency IPAM/DNS/DHCP
>SAIC/NICS
>256-544-3982
>
>
>_______________________________________________
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
>bind-users mailing list
>bind-users at lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120424/6641d645/attachment.html>

More information about the bind-users mailing list