Forward zone giving SERVFAIL

Mark Andrews marka at isc.org
Thu Nov 28 21:23:34 UTC 2013 

In message <000701ceebe9$cf91f6c0$6eb5e440$@JAMMConsulting.com>, "Neil Aggarwal" writes:
> Hello:
> 
> I set up a forward zone in the internal view of my named.conf:
> 
> view internal {
>         match-clients {
>                 127.0.0.1;
>                 };
>         recursion yes;
>         allow-query-cache { any; };
>         zone "dnsbl" {
>                 type forward;
>                 forwarders {
>                         127.0.0.1 port 54;
>                         };
>                 forward only;
>                 };
>         };
> 
> When I run dig against the forward zone:
> dig -p 54 @127.0.0.1 2.0.0.127.zen.dnsbl
> 
> It gives me the expected output:
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -p 54 @127.0.0.1
> 2.0.0.127.zen.dnsbl
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57571
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;2.0.0.127.zen.dnsbl.           IN      A
> 
> ;; ANSWER SECTION:
> 2.0.0.127.zen.dnsbl.    300     IN      A       127.0.0.2
> 2.0.0.127.zen.dnsbl.    300     IN      A       127.0.0.10
> 2.0.0.127.zen.dnsbl.    300     IN      A       127.0.0.4
> 
> ;; Query time: 1 msec
> ;; SERVER: 127.0.0.1#54(127.0.0.1)
> ;; WHEN: Wed Nov 27 21:24:45 2013
> ;; MSG SIZE  rcvd: 85
> 
> But, when I run dig against bind:
> dig -p 53 @127.0.0.1 2.0.0.127.zen.dnsbl
> 
> I get a SERVFAIL response:
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -p 53 @127.0.0.1
> 2.0.0.127.zen.dnsbl
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46895
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;2.0.0.127.zen.dnsbl.           IN      A
> 
> ;; Query time: 144 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Nov 27 21:25:50 2013
> ;; MSG SIZE  rcvd: 37
> 
> Taking a look at /var/named/data/named.run, I see these lines:
> error (chase DS servers) resolving 'zen.dnsbl/DS/IN': 127.0.0.1#54
> error (unexpected RCODE REFUSED) resolving 'dnsbl/NS/IN': 127.0.0.1#54
> error (no valid DS) resolving '2.0.0.127.zen.dnsbl/A/IN': 127.0.0.1#54
> 
> I am not sure what to make of this.

You have DNSSEC enabled and the root zone is signed in a way that
prevents the addition of rougue TLDs which 'dnsbl' is.  This is a
good thing with ICANN adding lots of new TLDs.

In addition to that the alternate nameserver on port 54 doesn't
handle NS queries.  Nameserver developers shouldn't assume that the
only queries that will be made to a nameserver will be A queries.
These days you have A and AAAA for addresses as well as NS, DS and
DNSKEY queries for DNSSEC.  Then add in TLSA queries for DANE and
as browsers check for HTTPS support.  The list of different query
types that regularly appear continues to grow.  Nameserver should
expect the unexpected.  It really isn't any harder to send a NODATA
response rather than a REFUSED.

I suggest that you report this to the black list and nameserver
vendors.  Squatting on TLD's is a no-no.  If they want a TLD for
their service they should pony up the money otherwise move the name
into namespace they control.  Doing a half backed nameserver will
cause operational problems.  All zones are supposed to have NS and
SOA records so there is no excuse for not supporting them.  As for
the other qtypes NODATA or NXDOMAIN should be returned depending
upon whether the name exists in the zone or not.  Simlarly NODATA
or NXDOMAIN should be returned for NS and SOA not at the zone apex.

A nameserver doesn't have to support returning all types but it
should say that they don't exist rather than cop out with NOTIMP
or REFUSED which just cause recursive servers to move onto the next
listed server and eventually return SERVFAIL to the client.

Mark

> Anyone have any ideas?
> 
> Thanks,
>   Neil
> 
> --
> Neil Aggarwal, (972) 834-1565
> We lend money to investors to buy or refinance single family rent houses.
> No origination fees, quick approval, no credit check.
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list