Another Question about SERVFAIL
Mark Andrews
marka at isc.org
Tue May 25 22:42:40 UTC 2010
In message <20100525202455.06F0B4029C at britaine.cis.anl.gov>, b19141 at anl.gov wri
tes:
> One of our networking personnel is trying to access
>
> ftp.cisco.com
>
> and is unable to do so from Argonne. He has no problem from home,
> (Comcast). The Comcast DNS servers are
>
> 68.87.72.134
> 68.87.77.134
>
> and report that they are running "Nominum Vantio 4.2.1.0" (about which
> I know very little).
>
> My DNS servers are running BIND 9.7.0-P1. I did some DNS queries here
> and I have made comments after each DNS query.
>
> Are my comments and suppositions correct?
> ===============================================================
> dnsserver% dig ftp.cisco.com
>
> ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61726
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com. IN A
>
> ;; Query time: 177 msec
> ;; SERVER: 146.139.254.5#53(146.139.254.5)
> ;; WHEN: Tue May 18 11:01:45 2010
> ;; MSG SIZE rcvd: 31
>
> dnsserver%
>
> Note the SERVFAIL response. BIND detects that something is wrong.
> ===============================================================
> dnsserver% dig cisco.com ns
>
> ; <<>> DiG 9.7.0-P1 <<>> cisco.com ns
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52864
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;cisco.com. IN NS
>
> ;; ANSWER SECTION:
> cisco.com. 38065 IN NS ns1.cisco.com.
> cisco.com. 38065 IN NS ns2.cisco.com.
>
> ;; ADDITIONAL SECTION:
> ns1.cisco.com. 2668 IN A 128.107.241.185
> ns2.cisco.com. 2831 IN A 64.102.255.44
>
> ;; Query time: 1 msec
> ;; SERVER: 146.139.254.5#53(146.139.254.5)
> ;; WHEN: Tue May 18 14:08:01 2010
> ;; MSG SIZE rcvd: 95
>
> dnsserver%
>
> There are two authoritative name servers for cisco.com .
> ===============================================================
> dnsserver% dig ftp.cisco.com @ns1.cisco.com.
>
> ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @ns1.cisco.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33283
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com. IN A
>
> ;; ANSWER SECTION:
> ftp.cisco.com. 60 IN A 198.133.219.241
>
> ;; AUTHORITY SECTION:
> ftp.cisco.com. 86400 IN NS rtp5-ddir-ns.cisco.com.
> ftp.cisco.com. 86400 IN NS sjce-ddir-ns.cisco.com.
>
> ;; ADDITIONAL SECTION:
> rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39
> sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86
>
> ;; Query time: 60 msec
> ;; SERVER: 128.107.241.185#53(128.107.241.185)
> ;; WHEN: Tue May 18 14:08:21 2010
> ;; MSG SIZE rcvd: 133
>
> dnsserver%
If you make a norecusive query you will get the referral.
; <<>> DiG 9.3.6-P1 <<>> ftp.cisco.com @ns1.cisco.com +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25199
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;ftp.cisco.com. IN A
;; AUTHORITY SECTION:
ftp.cisco.com. 86400 IN NS sjce-ddir-ns.cisco.com.
ftp.cisco.com. 86400 IN NS rtp5-ddir-ns.cisco.com.
;; ADDITIONAL SECTION:
rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39
sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86
;; Query time: 347 msec
;; SERVER: 128.107.241.185#53(128.107.241.185)
;; WHEN: Wed May 26 08:30:20 2010
;; MSG SIZE rcvd: 117
The actual cause of the SERVFAIL is further down where the load
balancer does not set AA on the response. Note it also set "RD"
despite RD not being set on the query.
; <<>> DiG 9.3.6-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45540
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ftp.cisco.com. IN A
;; ANSWER SECTION:
ftp.cisco.com. 60 IN A 198.133.219.241
;; Query time: 181 msec
;; SERVER: 128.107.240.86#53(128.107.240.86)
;; WHEN: Wed May 26 08:31:39 2010
;; MSG SIZE rcvd: 47
Also AAAA queries end up in self referrals.
; <<>> DiG 9.3.6-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com +norec aaaa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46026
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;ftp.cisco.com. IN AAAA
;; AUTHORITY SECTION:
ftp.cisco.com. 86400 IN NS sjce-ddir-ns.cisco.com.
ftp.cisco.com. 86400 IN NS rtp5-ddir-ns.cisco.com.
;; ADDITIONAL SECTION:
rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39
sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86
;; Query time: 176 msec
;; SERVER: 128.107.240.86#53(128.107.240.86)
;; WHEN: Wed May 26 08:41:32 2010
;; MSG SIZE rcvd: 117
> This response (from one of the two name servers) has problems.
>
> 1) There is an answer, but without the "aa" (authoritative answer)
> flag, the response appears to be coming from the cache.
>
> 2) The authority section lists the two nameservers that are
> authoritative for the zone ftp.cisco.com.
>
> 3) I am not a DNS expert, but with "ra" (recursion available) and
> "rd" (recursion desired) both set, I would expect my query to
> recurse to a name server that will return an authoritative answer.
> Or, since I sent the request to a specific name server, that
> server would return no answers but a referral to the authoritative
> name servers.
> ===============================================================
> dnsserver% dig ftp.cisco.com @rtp5-ddir-ns.cisco.com.
>
> ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @rtp5-ddir-ns.cisco.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13745
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com. IN A
>
> ;; ANSWER SECTION:
> ftp.cisco.com. 60 IN A 198.133.219.241
>
> ;; Query time: 288 msec
> ;; SERVER: 64.102.255.39#53(64.102.255.39)
> ;; WHEN: Tue May 18 14:08:46 2010
> ;; MSG SIZE rcvd: 47
>
> dnsserver%
> dnsserver% dig ftp.cisco.com @sjce-ddir-ns.cisco.com.
>
> ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3781
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com. IN A
>
> ;; ANSWER SECTION:
> ftp.cisco.com. 60 IN A 198.133.219.241
>
> ;; Query time: 219 msec
> ;; SERVER: 128.107.240.86#53(128.107.240.86)
> ;; WHEN: Tue May 18 14:09:12 2010
> ;; MSG SIZE rcvd: 47
>
> dnsserver%
>
> Here I queried both supposedly authoritative name servers, and
> from each I get a non-authoritative answer. When I did the same
> query yesterday afternoon, neither of these two name servers was
> accessible.
>
> I assume that with BIND 9.7.0-P1, if the response is not
> authoritative, then BIND will not trust the answer.
> ===============================================================
>
> ----------------------------------------------------------------------
> Barry S. Finkel
> Computing and Information Systems Division
> Argonne National Laboratory Phone: +1 (630) 252-7277
> 9700 South Cass Avenue Facsimile:+1 (630) 252-4601
> Building 240, Room 5.B.8 Internet: BSFinkel at anl.gov
> Argonne, IL 60439-4828 IBMMAIL: I1004994
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list