Another Question about SERVFAIL

Warren Kumari warren at kumari.net
Wed May 26 19:01:05 UTC 2010 

On May 25, 2010, at 6:42 PM, Mark Andrews wrote:

>
> In message <20100525202455.06F0B4029C at britaine.cis.anl.gov>, b19141 at anl.gov 
>  wri
> tes:
>> One of our networking personnel is trying to access
>>
>>     ftp.cisco.com
>>
>> and is unable to do so from Argonne.  He has no problem from home,
>> (Comcast).  The Comcast DNS servers are
>>
>>     68.87.72.134
>>     68.87.77.134
>>
>> and report that they are running "Nominum Vantio 4.2.1.0" (about  
>> which
>> I know very little).
>>
>> My DNS servers are running BIND 9.7.0-P1.  I did some DNS queries  
>> here
>> and I have made comments after each DNS query.
>>
>> Are my comments and suppositions correct?
>> ===============================================================
>> dnsserver% dig ftp.cisco.com
>>
>> ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61726
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;ftp.cisco.com.                 IN      A
>>
>> ;; Query time: 177 msec
>> ;; SERVER: 146.139.254.5#53(146.139.254.5)
>> ;; WHEN: Tue May 18 11:01:45 2010
>> ;; MSG SIZE  rcvd: 31
>>
>> dnsserver%
>>
>> Note the SERVFAIL response.  BIND detects that something is wrong.
>> ===============================================================
>> dnsserver% dig cisco.com ns
>>
>> ; <<>> DiG 9.7.0-P1 <<>> cisco.com ns
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52864
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
>>
>> ;; QUESTION SECTION:
>> ;cisco.com.                     IN      NS
>>
>> ;; ANSWER SECTION:
>> cisco.com.              38065   IN      NS      ns1.cisco.com.
>> cisco.com.              38065   IN      NS      ns2.cisco.com.
>>
>> ;; ADDITIONAL SECTION:
>> ns1.cisco.com.          2668    IN      A       128.107.241.185
>> ns2.cisco.com.          2831    IN      A       64.102.255.44
>>
>> ;; Query time: 1 msec
>> ;; SERVER: 146.139.254.5#53(146.139.254.5)
>> ;; WHEN: Tue May 18 14:08:01 2010
>> ;; MSG SIZE  rcvd: 95
>>
>> dnsserver%
>>
>> There are two authoritative name servers for cisco.com .
>> ===============================================================
>> dnsserver% dig ftp.cisco.com @ns1.cisco.com.
>>
>> ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @ns1.cisco.com.
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33283
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>>
>> ;; QUESTION SECTION:
>> ;ftp.cisco.com.                 IN      A
>>
>> ;; ANSWER SECTION:
>> ftp.cisco.com.          60      IN      A       198.133.219.241
>>
>> ;; AUTHORITY SECTION:
>> ftp.cisco.com.          86400   IN      NS      rtp5-ddir- 
>> ns.cisco.com.
>> ftp.cisco.com.          86400   IN      NS      sjce-ddir- 
>> ns.cisco.com.
>>
>> ;; ADDITIONAL SECTION:
>> rtp5-ddir-ns.cisco.com. 86400   IN      A       64.102.255.39
>> sjce-ddir-ns.cisco.com. 86400   IN      A       128.107.240.86
>>
>> ;; Query time: 60 msec
>> ;; SERVER: 128.107.241.185#53(128.107.241.185)
>> ;; WHEN: Tue May 18 14:08:21 2010
>> ;; MSG SIZE  rcvd: 133
>>
>> dnsserver%
>
> If you make a norecusive query you will get the referral.
>
> ; <<>> DiG 9.3.6-P1 <<>> ftp.cisco.com @ns1.cisco.com +norec
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25199
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com.			IN	A
>
> ;; AUTHORITY SECTION:
> ftp.cisco.com.		86400	IN	NS	sjce-ddir-ns.cisco.com.
> ftp.cisco.com.		86400	IN	NS	rtp5-ddir-ns.cisco.com.
>
> ;; ADDITIONAL SECTION:
> rtp5-ddir-ns.cisco.com.	86400	IN	A	64.102.255.39
> sjce-ddir-ns.cisco.com.	86400	IN	A	128.107.240.86
>
> ;; Query time: 347 msec
> ;; SERVER: 128.107.241.185#53(128.107.241.185)
> ;; WHEN: Wed May 26 08:30:20 2010
> ;; MSG SIZE  rcvd: 117
>
> The actual cause of the SERVFAIL is further down where the load
> balancer does not set AA on the response.  Note it also set "RD"
> despite RD not being set on the query.

So, the question of the day is: do you think that it took actual work  
to mess things up like this, or was it just "luck"?

I have visions of a bunch of disgruntled GLB developers sitting in a  
pub and trying to come up with the most unusual set of responses for  
any given query...

W


>
> ; <<>> DiG 9.3.6-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com +norec
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45540
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com.			IN	A
>
> ;; ANSWER SECTION:
> ftp.cisco.com.		60	IN	A	198.133.219.241
>
> ;; Query time: 181 msec
> ;; SERVER: 128.107.240.86#53(128.107.240.86)
> ;; WHEN: Wed May 26 08:31:39 2010
> ;; MSG SIZE  rcvd: 47
>
> Also AAAA queries end up in self referrals.
>
> ; <<>> DiG 9.3.6-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com  
> +norec aaaa
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46026
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com.			IN	AAAA
>
> ;; AUTHORITY SECTION:
> ftp.cisco.com.		86400	IN	NS	sjce-ddir-ns.cisco.com.
> ftp.cisco.com.		86400	IN	NS	rtp5-ddir-ns.cisco.com.
>
> ;; ADDITIONAL SECTION:
> rtp5-ddir-ns.cisco.com.	86400	IN	A	64.102.255.39
> sjce-ddir-ns.cisco.com.	86400	IN	A	128.107.240.86
>
> ;; Query time: 176 msec
> ;; SERVER: 128.107.240.86#53(128.107.240.86)
> ;; WHEN: Wed May 26 08:41:32 2010
> ;; MSG SIZE  rcvd: 117
>
>> This response (from one of the two name servers) has problems.
>>
>> 1) There is an answer, but without the "aa" (authoritative answer)
>>   flag, the response appears to be coming from the cache.
>>
>> 2) The authority section lists the two nameservers that are
>>   authoritative for the zone ftp.cisco.com.
>>
>> 3) I am not a DNS expert, but with "ra" (recursion available) and
>>   "rd" (recursion desired) both set, I would expect my query to
>>   recurse to a name server that will return an authoritative answer.
>>   Or, since I sent the request to a specific name server, that
>>   server would return no answers but a referral to the authoritative
>>   name servers.
>> ===============================================================
>> dnsserver% dig ftp.cisco.com @rtp5-ddir-ns.cisco.com.
>>
>> ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @rtp5-ddir-ns.cisco.com.
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13745
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;ftp.cisco.com.                 IN      A
>>
>> ;; ANSWER SECTION:
>> ftp.cisco.com.          60      IN      A       198.133.219.241
>>
>> ;; Query time: 288 msec
>> ;; SERVER: 64.102.255.39#53(64.102.255.39)
>> ;; WHEN: Tue May 18 14:08:46 2010
>> ;; MSG SIZE  rcvd: 47
>>
>> dnsserver%
>> dnsserver% dig ftp.cisco.com @sjce-ddir-ns.cisco.com.
>>
>> ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com.
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3781
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;ftp.cisco.com.                 IN      A
>>
>> ;; ANSWER SECTION:
>> ftp.cisco.com.          60      IN      A       198.133.219.241
>>
>> ;; Query time: 219 msec
>> ;; SERVER: 128.107.240.86#53(128.107.240.86)
>> ;; WHEN: Tue May 18 14:09:12 2010
>> ;; MSG SIZE  rcvd: 47
>>
>> dnsserver%
>>
>> Here I queried both supposedly authoritative name servers, and
>> from each I get a non-authoritative answer.  When I did the same
>> query yesterday afternoon, neither of these two name servers was
>> accessible.
>>
>> I assume that with BIND 9.7.0-P1, if the response is not
>> authoritative, then BIND will not trust the answer.
>> ===============================================================
>>
>> ----------------------------------------------------------------------
>> Barry S. Finkel
>> Computing and Information Systems Division
>> Argonne National Laboratory          Phone:    +1 (630) 252-7277
>> 9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
>> Building 240, Room 5.B.8             Internet: BSFinkel at anl.gov
>> Argonne, IL   60439-4828             IBMMAIL:  I1004994
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Life is a concentration camp.  You're stuck here and there's no way  
out and you can only rage impotently against your persecutors.
                 -- Woody Allen

More information about the bind-users mailing list