Intermittent ServFail for FreeBSD.org names?

Sun Sep 15 20:02:11 UTC 2019

Hi,

our BIND recursors apparently intermittently return ServFail
error code for lookups e.g. of bugs.FreeBSD.org, and now I've
caught it in the act.

I've used http://dnsviz.net/ on both FreeBSD.org, isc-sns.net,
isc-sns.info and isc-sns.com (names for the name servers of
FreeBSD org sits in these zones), and everything comes back "no
problems found", except for a warning there's no AAAA glue for
ns2.isc-sns.com, which should be insignificant.  So there's
apparently no obvious DNSSEC issues and no significant delegation
problems.

I've turned on DNS query sniffing, and this is an exchange I find
related to the lookup of _http._tcp.pkg.FreeBSD.org:

14:20:49.650641 IP6 2001:700:0:503::ca53.62329 > 2001:5a0:10::1.53: 17761 [1au] DNSKEY? freebsd.org. (52)
14:20:58.138824 IP 128.39.46.118.54758 > 158.38.0.168.53: 31772+ [1au] SRV? _http._tcp.pkg.FreeBSD.org. (55)
14:21:06.150953 IP6 2001:700:0:503::ca53.55159 > 2001:5a0:10::1.53: 10140 [1au] SRV? _http._tcp.pkg.FreeBSD.org. (67)
14:21:06.150981 IP6 2001:700:0:503::ca53.54491 > 2001:5a0:10::1.53: 11227% [1au] A? ns1.isc-sns.net. (56)
14:21:06.151099 IP 158.38.0.168.53 > 128.39.46.118.54758: 31772 ServFail 0/0/1 (55)
14:21:07.012643 IP6 2001:5a0:10::1.53 > 2001:700:0:503::ca53.57326: 20041*- 2/4/9 A 72.52.71.1, RRSIG (1104)

Yes, there are other packets in-between, but nothing related to
freebsd.org or isc-sns, and, yes, I've included two more packets
to/from the 2001:5a0:10::1 name server, which is ns3.isc-sns.info
according to ip6.arpa.

So ... why does BIND apparently "sit" on the client query
received at 14:20:58.138824 for 7s before originating a new query
to resolve the client query, and then almost immediately return a
ServFail to the client?!?

The last packet looks "odd", though it appears to be the response
to the A ns1.isc-sns.net query, I can't re-find query-id 20041,
and also not the 57326 port number.  I also can't find the DNSKEY
response to the very first query in the packet trace.

I'm logging "query errors", and run with debuglevel=2, and get

Sep 15 14:21:06 oliven named[278]: client @0x7ade2126d000 128.39.46.118#54758 (_http._tcp.pkg.FreeBSD.org): query failed (timed out) for _http._tcp.pkg.FreeBSD.org/IN/SRV at query.c:6799

in the log at the corresponding time.  It seems to me that a
time-out should be re-set at 14:21:06.150953?

This is with BIND 9.14.4.

Does anyone else see similar behaviour for names in the
FreeBSD.org zone?

Best regards,

- Håvard