bind 9.2.1 SERVFAIL driving me nuts

Victor Wren vwrennospam at ponyhomenospam.com
Wed Dec 17 17:20:10 UTC 2003


On Wed, 17 Dec 2003 07:00:01 +0000 (UTC), phn at icke-reklam.ipsec.nu
wrote:

>Part of ypur problems is that Server helios.timension.com (67.116.23.65)
>uses fake root-servers.=20

Actally, Helios is the stable one.  What turned out to be the problem
is that in my automated monthly update, ns.icann.org fed me a list of
nameservers with no "ADDITIONAL" section (server names, but no
addresses, and as they started timing out, performance got more and
more erratic).

In other words, the "real" list of nameservers was badly maintained,
while the "fake" (Open) nameservers have been working perfectly.
dig-ing a new set of roots fixed the problem.  I KNEW it had to be
something simple like that, but since the root download had not
reported any errors, I failed to check it until I'd pulled half my
hair out.

>When they don't see the same universe you may get some troubles.

Seems like that would be more robust, actually.  And they are seeing
the same universe -- just through different telescopes.

>helios.timension.com (67.116.23.65)=20
>trip.ponyhome.com (67.112.125.90)=20
>
>The other server trip.ponyhome.com seeems blocked from=20
>TCP queries/ zonetransfers.This is probably i firewall-filter
>issue.

Those are rules I put in after I got the nameserver working again.
TCP, as I understand it,  is only for zone transfers, and is open to
the slave servers.  UDP is open to everybody, but not for recursion
(except where cached, obviously)

Which leads to another off-topic problem:  Even when I have
allow-query { any; } in my zone sections, the allow-query in the
"options" section appears to override it, i.e. the more restrictive
one is the one that is used.  In other words, even with allow-query {
any; } in the zone sections, I was getting "query (cache) denied" in
my syslog.  It was only when I put allow-query {any;} in the options
section that this stopped.  I may be misunderstanding what allow-query
is for.

>Finally, upgrade 9.2.1, it's old and has known weaknesses.

Helios was running 9.2.3, and I've brought Trip up to 9.2.3 also.

Thanks for those who responded.  Mark Andrews was spot on with his
question about the hints file.

Victor Wren
vwren ampersand ponyhome period com


More information about the bind-users mailing list