Servfail When Resolving certain domains

Barry Margolin barmar at genuity.net
Mon Dec 10 22:25:35 UTC 2001 

In article <9v38gr$kur at pub3.rc.vix.com>,
England, Robert (Robert) <england at northamerica.exchange.agere.com> wrote:
>I'm trying to figure out why our DNS servers are having intermittent
>problems getting to a hand full of domains on a consistent basis. Below is
>one of the domain names we continually have issues with. We run a BIND 8.2.4
>environment.
> 
>We have email being queued because of host name lookup failure.
>When we perform a DIG for the MX record against our DNS servers responsible
>for external DNS resolution, they come back with the below message.
> 
>$ /usr/sbin/dig zaiqtech.com mx
> 
>; <<>> DiG 8.3 <<>> zaiqtech.com mx 
>;; res options: init recurs defnam dnsrch
>;; got answer:
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>;; QUERY SECTION:
>;;      zaiqtech.com, type = MX, class = IN
> 
>;; Total query time: 14 msec
>;; FROM: rootdns2 to SERVER: default -- 192.19.192.102
>;; WHEN: Mon Dec 10 15:06:49 2001
>;; MSG SIZE  sent: 30  rcvd: 30
> 
> 
> 
>We then perform a DIG with the +norec option as noted below, and get the
>following. The NS records of the name server for the domain we are looking
>up.
>Am I correct to say that the NS records that are returned below come from
>the .com DNS servers as referrals? Are these the NS records registered with
>Network Solutions?
> 
> 
>$ /usr/sbin/dig zaiqtech.com mx +norec
> 
>; <<>> DiG 8.3 <<>> zaiqtech.com mx +norec 
>;; res options: init defnam dnsrch
>;; got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65486
>;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
>;; QUERY SECTION:
>;;      zaiqtech.com, type = MX, class = IN
> 
>;; AUTHORITY SECTION:
>zaiqtech.com.           21h51m26s IN NS  CONNACTIVITY.CONNACTIVITY.com.
>zaiqtech.com.           21h51m26s IN NS  NS2.CONNACTIVITY.com.
> 
>;; ADDITIONAL SECTION:
>CONNACTIVITY.CONNACTIVITY.com.  22m28s IN A  206.34.200.2
>NS2.CONNACTIVITY.com.   1d4h8m24s IN A  206.34.200.3
> 
>;; Total query time: 9 msec
>;; FROM: rootdns2 to SERVER: default -- 192.19.192.102
>;; WHEN: Mon Dec 10 15:10:46 2001
>;; MSG SIZE  sent: 30  rcvd: 120
> 
> 
> 
>The question I have is when our DNS servers try to find the MX records for
>the zaiqtech.com domain name it is unsuccessful. How does that happen?
>If the +norec allows DIG to perform a DNS query like our name servers,
>doesn't our DNS servers get referred to the name servers listed above?

You should not use +norec when querying your local caching server.  You
should use it when querying the connactivity.com servers, i.e. when you're
trying to simulate what your caching server will do.

When you use +norec with your caching server, you're explicitly telling it
*not* to go to the servers that it's referred to.

>If I perform a dig against the name servers listed above with the +norec
>option I get the following (below). I am able to find the MX records from
>the name servers directly. 

But notice that they are not authoritative answers, i.e. "aa" doesn't show
up in the "flags:" section of the output.  The servers that a domain is
delegated to should always be authoritative.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list