hhs.gov resolvers broken, or BIND misconfigured?
John Wobus
jw354 at cornell.edu
Fri Mar 4 18:25:32 UTC 2016
> Our recursive resolver periodically returns SERVFAIL for lookups for
> hhs.gov records, which are served by these nameservers:
>
> rh202ns1.355.dhhs.gov. 168 IN A 158.74.30.98
> rh202ns1.355.dhhs.gov. 14260 IN AAAA 2607:f220:0:1::2a
> rh202ns2.355.dhhs.gov. 168 IN A 158.74.30.99
> rh202ns2.355.dhhs.gov. 14260 IN AAAA 2607:f220:0:1::2b
> rh120ns2.368.dhhs.gov. 81 IN A 158.74.30.103
> rh120ns2.368.dhhs.gov. 81 IN AAAA 2607:f220:0:1::2d
> rh120ns1.368.dhhs.gov. 168 IN A 158.74.30.102
> rh120ns1.368.dhhs.gov. 14260 IN AAAA 2607:f220:0:1::2c
I don’t know the cause, but checking these nameserver authoritative
and glue records, I see ttl 300 for the authoritative records and ttl 86400
for the gov glue records. The caching ttls above suggest the AAAA records are
cached glue and the A records are cached authoritative. Just an observation.
But that seems like something bind would deal with every day, even with both A
and AAAA records for the same NS name. One clear thing about the above
query is that renewals from the authoritative the nameservers don’t happen to
be in synch.
John Wobus
Cornell University IT
More information about the bind-users
mailing list