Another Question about SERVFAIL
Warren Kumari
warren at kumari.net
Wed May 26 19:01:05 UTC 2010
On May 25, 2010, at 6:42 PM, Mark Andrews wrote:
>
> In message <20100525202455.06F0B4029C at britaine.cis.anl.gov>, b19141 at anl.gov
> wri
> tes:
>> One of our networking personnel is trying to access
>>
>> ftp.cisco.com
>>
>> and is unable to do so from Argonne. He has no problem from home,
>> (Comcast). The Comcast DNS servers are
>>
>> 68.87.72.134
>> 68.87.77.134
>>
>> and report that they are running "Nominum Vantio 4.2.1.0" (about
>> which
>> I know very little).
>>
>> My DNS servers are running BIND 9.7.0-P1. I did some DNS queries
>> here
>> and I have made comments after each DNS query.
>>
>> Are my comments and suppositions correct?
>> ===============================================================
>> dnsserver% dig ftp.cisco.com
>>
>> ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61726
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;ftp.cisco.com. IN A
>>
>> ;; Query time: 177 msec
>> ;; SERVER: 146.139.254.5#53(146.139.254.5)
>> ;; WHEN: Tue May 18 11:01:45 2010
>> ;; MSG SIZE rcvd: 31
>>
>> dnsserver%
>>
>> Note the SERVFAIL response. BIND detects that something is wrong.
>> ===============================================================
>> dnsserver% dig cisco.com ns
>>
>> ; <<>> DiG 9.7.0-P1 <<>> cisco.com ns
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52864
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
>>
>> ;; QUESTION SECTION:
>> ;cisco.com. IN NS
>>
>> ;; ANSWER SECTION:
>> cisco.com. 38065 IN NS ns1.cisco.com.
>> cisco.com. 38065 IN NS ns2.cisco.com.
>>
>> ;; ADDITIONAL SECTION:
>> ns1.cisco.com. 2668 IN A 128.107.241.185
>> ns2.cisco.com. 2831 IN A 64.102.255.44
>>
>> ;; Query time: 1 msec
>> ;; SERVER: 146.139.254.5#53(146.139.254.5)
>> ;; WHEN: Tue May 18 14:08:01 2010
>> ;; MSG SIZE rcvd: 95
>>
>> dnsserver%
>>
>> There are two authoritative name servers for cisco.com .
>> ===============================================================
>> dnsserver% dig ftp.cisco.com @ns1.cisco.com.
>>
>> ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @ns1.cisco.com.
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33283
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>>
>> ;; QUESTION SECTION:
>> ;ftp.cisco.com. IN A
>>
>> ;; ANSWER SECTION:
>> ftp.cisco.com. 60 IN A 198.133.219.241
>>
>> ;; AUTHORITY SECTION:
>> ftp.cisco.com. 86400 IN NS rtp5-ddir-
>> ns.cisco.com.
>> ftp.cisco.com. 86400 IN NS sjce-ddir-
>> ns.cisco.com.
>>
>> ;; ADDITIONAL SECTION:
>> rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39
>> sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86
>>
>> ;; Query time: 60 msec
>> ;; SERVER: 128.107.241.185#53(128.107.241.185)
>> ;; WHEN: Tue May 18 14:08:21 2010
>> ;; MSG SIZE rcvd: 133
>>
>> dnsserver%
>
> If you make a norecusive query you will get the referral.
>
> ; <<>> DiG 9.3.6-P1 <<>> ftp.cisco.com @ns1.cisco.com +norec
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25199
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com. IN A
>
> ;; AUTHORITY SECTION:
> ftp.cisco.com. 86400 IN NS sjce-ddir-ns.cisco.com.
> ftp.cisco.com. 86400 IN NS rtp5-ddir-ns.cisco.com.
>
> ;; ADDITIONAL SECTION:
> rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39
> sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86
>
> ;; Query time: 347 msec
> ;; SERVER: 128.107.241.185#53(128.107.241.185)
> ;; WHEN: Wed May 26 08:30:20 2010
> ;; MSG SIZE rcvd: 117
>
> The actual cause of the SERVFAIL is further down where the load
> balancer does not set AA on the response. Note it also set "RD"
> despite RD not being set on the query.
So, the question of the day is: do you think that it took actual work
to mess things up like this, or was it just "luck"?
I have visions of a bunch of disgruntled GLB developers sitting in a
pub and trying to come up with the most unusual set of responses for
any given query...
W
>
> ; <<>> DiG 9.3.6-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com +norec
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45540
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com. IN A
>
> ;; ANSWER SECTION:
> ftp.cisco.com. 60 IN A 198.133.219.241
>
> ;; Query time: 181 msec
> ;; SERVER: 128.107.240.86#53(128.107.240.86)
> ;; WHEN: Wed May 26 08:31:39 2010
> ;; MSG SIZE rcvd: 47
>
> Also AAAA queries end up in self referrals.
>
> ; <<>> DiG 9.3.6-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com
> +norec aaaa
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46026
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com. IN AAAA
>
> ;; AUTHORITY SECTION:
> ftp.cisco.com. 86400 IN NS sjce-ddir-ns.cisco.com.
> ftp.cisco.com. 86400 IN NS rtp5-ddir-ns.cisco.com.
>
> ;; ADDITIONAL SECTION:
> rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39
> sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86
>
> ;; Query time: 176 msec
> ;; SERVER: 128.107.240.86#53(128.107.240.86)
> ;; WHEN: Wed May 26 08:41:32 2010
> ;; MSG SIZE rcvd: 117
>
>> This response (from one of the two name servers) has problems.
>>
>> 1) There is an answer, but without the "aa" (authoritative answer)
>> flag, the response appears to be coming from the cache.
>>
>> 2) The authority section lists the two nameservers that are
>> authoritative for the zone ftp.cisco.com.
>>
>> 3) I am not a DNS expert, but with "ra" (recursion available) and
>> "rd" (recursion desired) both set, I would expect my query to
>> recurse to a name server that will return an authoritative answer.
>> Or, since I sent the request to a specific name server, that
>> server would return no answers but a referral to the authoritative
>> name servers.
>> ===============================================================
>> dnsserver% dig ftp.cisco.com @rtp5-ddir-ns.cisco.com.
>>
>> ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @rtp5-ddir-ns.cisco.com.
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13745
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;ftp.cisco.com. IN A
>>
>> ;; ANSWER SECTION:
>> ftp.cisco.com. 60 IN A 198.133.219.241
>>
>> ;; Query time: 288 msec
>> ;; SERVER: 64.102.255.39#53(64.102.255.39)
>> ;; WHEN: Tue May 18 14:08:46 2010
>> ;; MSG SIZE rcvd: 47
>>
>> dnsserver%
>> dnsserver% dig ftp.cisco.com @sjce-ddir-ns.cisco.com.
>>
>> ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com.
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3781
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;ftp.cisco.com. IN A
>>
>> ;; ANSWER SECTION:
>> ftp.cisco.com. 60 IN A 198.133.219.241
>>
>> ;; Query time: 219 msec
>> ;; SERVER: 128.107.240.86#53(128.107.240.86)
>> ;; WHEN: Tue May 18 14:09:12 2010
>> ;; MSG SIZE rcvd: 47
>>
>> dnsserver%
>>
>> Here I queried both supposedly authoritative name servers, and
>> from each I get a non-authoritative answer. When I did the same
>> query yesterday afternoon, neither of these two name servers was
>> accessible.
>>
>> I assume that with BIND 9.7.0-P1, if the response is not
>> authoritative, then BIND will not trust the answer.
>> ===============================================================
>>
>> ----------------------------------------------------------------------
>> Barry S. Finkel
>> Computing and Information Systems Division
>> Argonne National Laboratory Phone: +1 (630) 252-7277
>> 9700 South Cass Avenue Facsimile:+1 (630) 252-4601
>> Building 240, Room 5.B.8 Internet: BSFinkel at anl.gov
>> Argonne, IL 60439-4828 IBMMAIL: I1004994
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Life is a concentration camp. You're stuck here and there's no way
out and you can only rage impotently against your persecutors.
-- Woody Allen
More information about the bind-users
mailing list