SERVFAIL for some domains on some servers

Oliver Henriot Oliver.Henriot at imag.fr
Tue Mar 2 09:57:50 UTC 2010 

Dear Sten,

I didn't give the domain I'm encountering problems with because it 
seemed irrelevant to me.

As Stéphane Bortzmeyer says in his message of 01/03/10 11:44, it's best 
to give names, so here goes :
x.fr is labanquepostale.fr
"1" is imag.imag.fr
"2" is brahma.imag.fr
"3" is isis.imag.fr
"4" is cosmos.imag.fr

As to a possible firewall problem, how could this be if the servers 
encountering problems don't have any access problems on TCP port 53?

Thanks.

Oliver

Dans sa grande sagesse, Sten Carlsen a écrit, le 27/02/10 19:06 :
> Since you don't tell which domain is the problem and at least I get
> perfect answers for imag.fr (my only possible guess) from all listed
> servers, I can have no clue.
>
> Best guess is still some firewall doing something stupid.
>
>
> Oliver Henriot wrote:
>> Dear list users,
>>
>> Maybe you can help me out here. Please bear with me if I'm stating the
>> obvious, but my computing skills are scarce and I still have a lot to
>> learn.
>>
>> I have a series of name servers, some of which fail to resolve hosts
>> in other domains whereas others don't have any problem.
>>
>> My setup is as follows :
>> - server "1" : master for my domain, recursion disabled for all except
>> localhost. Setup is BIND 9.5.1-P2 on SunOS 5.9.
>> - servers "2", "3" and "4" : slaves for my domain, recusrion allowed
>> for all, official resolvers for my clients, same configuration on all
>> 3. Setup is DiG 9.3.6-P1 on CentOS 5.4.
>>
>> Servers "2" and "4" fail to resolve domain x.fr whereas "1" and "3"
>> have no problem (if interrogated locally for "1" of course). The error
>> I get is :
>>
>>
>> dig -t A @"2" www.x.fr
>>
>> ;<<>>  DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2<<>>  -t A @"2" www.x.fr
>> ; (1 server found)
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37397
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;www.x.fr.                IN      A
>>
>> ;; Query time: 4622 msec
>> ;; SERVER: "2"#53("2")
>> ;; WHEN: Sat Feb 27 18:20:07 2010
>> ;; MSG SIZE  rcvd: 40
>>
>>
>> The behavior is the same for "4" and for any host in domain x.fr (and
>> the domain itself).
>>
>> It's not a network problem, I can telnet on port 53 of the name
>> servers for domain x.fr from "2" (obviously using the ip address as
>> the name can't be resolved by the server).
>>
>> Also, reverse queries for hosts in domain x.fr from "2" do not fail.
>>
>> Finally, even more strange, if I use dig's +trace option servers "2"
>> and "4" do not fail any more and can resolve www.x.fr (although the
>> query lags quite a bit when doing the last bit of resolving, from x.fr
>> to www.x.fr).
>>
>> Here's the output :
>>
>> dig www.x.fr @"2" +trace
>>
>> ;<<>>  DiG 9.5.1-P3<<>>  www.x.fr @"2" +trace
>> ;; global options:  printcmd
>> .                       518400  IN      NS      F.ROOT-SERVERS.NET.
>> .                       518400  IN      NS      G.ROOT-SERVERS.NET.
>> .                       518400  IN      NS      H.ROOT-SERVERS.NET.
>> .                       518400  IN      NS      I.ROOT-SERVERS.NET.
>> .                       518400  IN      NS      J.ROOT-SERVERS.NET.
>> .                       518400  IN      NS      K.ROOT-SERVERS.NET.
>> .                       518400  IN      NS      L.ROOT-SERVERS.NET.
>> .                       518400  IN      NS      M.ROOT-SERVERS.NET.
>> .                       518400  IN      NS      A.ROOT-SERVERS.NET.
>> .                       518400  IN      NS      B.ROOT-SERVERS.NET.
>> .                       518400  IN      NS      C.ROOT-SERVERS.NET.
>> .                       518400  IN      NS      D.ROOT-SERVERS.NET.
>> .                       518400  IN      NS      E.ROOT-SERVERS.NET.
>> ;; Received 500 bytes from "2"#53("2") in 2 ms
>>
>> fr.                     172800  IN      NS      E.EXT.NIC.fr.
>> fr.                     172800  IN      NS      B.EXT.NIC.fr.
>> fr.                     172800  IN      NS      F.EXT.NIC.fr.
>> fr.                     172800  IN      NS      A.NIC.fr.
>> fr.                     172800  IN      NS      C.NIC.fr.
>> fr.                     172800  IN      NS      G.EXT.NIC.fr.
>> fr.                     172800  IN      NS      D.NIC.fr.
>> fr.                     172800  IN      NS      D.EXT.NIC.fr.
>> ;; Received 444 bytes from 192.58.128.30#53(J.ROOT-SERVERS.NET) in 44 ms
>>
>> x.fr.     172800  IN      NS      ns1.x.fr.
>> x.fr.     172800  IN      NS      ns2.x.fr.
>> ;; Received 108 bytes from 193.176.144.6#53(E.EXT.NIC.fr) in 33 ms
>>
>> www.x.fr. 300     IN      A       xxx.xxx.xxx.xxx
>> x.fr.     300     IN      NS      ns2.x.fr.
>> x.fr.     300     IN      NS      ns1.x.fr.
>> ;; Received 124 bytes from xxx.xxx.xxx.xxx#53(ns1.x.fr) in 0 ms
>>
>>
>> I'm at a loss as to what's going on (or wrong) here and what I can to
>> do to solve the problem. Any help would be greatly appreciated.
>>
>> Thanks in advance.
>>
>> Oliver
>>
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4132 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100302/99371c07/attachment.bin>

More information about the bind-users mailing list