Stumped - SERVFAIL vs NOERROR?
Karl Auer
kauer at biplane.com.au
Wed Apr 27 12:11:34 UTC 2011
Hi all.
Well, I'm stumped.
This is causing non-delivery of mail for the affected domain because it
is blocking fallback from IPv6 to IPv4 for the domain. The problem
smells like misconfigured IPv6 somewhere along the way, but all the
servers involved (that have IPv6 addresses) seem to be answering OK.
Using our local caching, recursive BIND9 nameservers, we get SERVFAIL on
a particular domain, namely "mailergoat.rsi.co.jp". But from other
places, we get NOERROR (which is the correct answer, because there is a
A record with that name). However, from some places outside our network
we also get SERVFAIL.
Traces (using the +trace option to dig) are identical regardless of
where we do them, besides some reordering of the nameserver results,
which is normal.
One oddity (at least it seems odd to me) is that a trace ends with two
nameservers, gtm1.rsi.co.jp and gtm2.rsi.co.jp, that are not present in
the nameserver list for rsi.co.jp, meaning that the domain
mailergoat.rsi.co.jp has been delegated to them. When I ask either of
those servers directly for the nameserver records for
mailergoat.rsi.co.jp, I get NOERROR, but no answer. Asking those servers
for "ANY" records for that name shows an A record and a TXT (SPF) record
only. That makes this a lame delegation - but why do some recursive
nameservers report it as SERVFAIL and some as NOERROR? A difference
between nameservers, or nameserver versions?
Any ideas gratefully received. See below for dig outputs demonstrating
the above statements.
Regards, K.
dmz-rz-ap:[~]$ dig mailergoat.rsi.co.jp AAAA
; <<>> DiG 9.6.1-P3 <<>> mailergoat.rsi.co.jp AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 772
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;mailergoat.rsi.co.jp. IN AAAA
;; Query time: 582 msec
;; SERVER: 129.132.98.12#53(129.132.98.12)
;; WHEN: Wed Apr 27 13:09:43 2011
;; MSG SIZE rcvd: 38
But from other places, we get NOERROR (which is the correct answer,
because there is a A record with that name). This via Google DNS:
dns2-rz-ap:[log]$ dig mailergoat.rsi.co.jp AAAA @8.8.8.8
; <<>> DiG 9.2.4 <<>> mailergoat.rsi.co.jp AAAA @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 518
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;mailergoat.rsi.co.jp. IN AAAA
;; AUTHORITY SECTION:
rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp.
hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60
;; Query time: 523 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Apr 27 13:10:07 2011
;; MSG SIZE rcvd: 90
Note that there *is* an A record with that name:
dmz-rz-ap:[~]$ dig mailergoat.rsi.co.jp
; <<>> DiG 9.6.1-P3 <<>> mailergoat.rsi.co.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1627
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;mailergoat.rsi.co.jp. IN A
;; ANSWER SECTION:
mailergoat.rsi.co.jp. 600 IN A 202.214.41.103
;; AUTHORITY SECTION:
mailergoat.rsi.co.jp. 260 IN NS gtm2.rsi.co.jp.
mailergoat.rsi.co.jp. 260 IN NS gtm1.rsi.co.jp.
;; ADDITIONAL SECTION:
gtm1.rsi.co.jp. 600 IN A 202.214.41.51
gtm2.rsi.co.jp. 600 IN A 202.25.214.15
;; Query time: 592 msec
;; SERVER: 129.132.98.12#53(129.132.98.12)
;; WHEN: Wed Apr 27 13:14:56 2011
;; MSG SIZE rcvd: 124
But from some places outside our network we also get SERVFAIL:
kauer at karl:~$ dig mailergoat.rsi.co.jp AAAA
; <<>> DiG 9.7.1-P2 <<>> mailergoat.rsi.co.jp AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3850
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;mailergoat.rsi.co.jp. IN AAAA
;; Query time: 544 msec
;; SERVER: 192.168.1.35#53(192.168.1.35)
;; WHEN: Wed Apr 27 21:09:40 2011
;; MSG SIZE rcvd: 38
The following sequence of three digs shows that when I ask the
reportedly authoritative servers directly about this name, they can and
do answer correctly. It's only when the query recurses that SERVFAIL
shows up:
kauer at karl:~$ dig @gtm1.rsi.co.jp mailergoat.rsi.co.jp aaaa
; <<>> DiG 9.7.1-P2 <<>> @gtm1.rsi.co.jp mailergoat.rsi.co.jp aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43306
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;mailergoat.rsi.co.jp. IN AAAA
;; AUTHORITY SECTION:
rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31
10800 3600 604800 60
;; Query time: 272 msec
;; SERVER: 202.214.41.51#53(202.214.41.51)
;; WHEN: Wed Apr 27 21:40:09 2011
;; MSG SIZE rcvd: 90
kauer at karl:~$ dig @gtm2.rsi.co.jp mailergoat.rsi.co.jp aaaa
; <<>> DiG 9.7.1-P2 <<>> @gtm2.rsi.co.jp mailergoat.rsi.co.jp aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13474
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;mailergoat.rsi.co.jp. IN AAAA
;; AUTHORITY SECTION:
rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31
10800 3600 604800 60
;; Query time: 239 msec
;; SERVER: 202.25.214.15#53(202.25.214.15)
;; WHEN: Wed Apr 27 21:40:16 2011
;; MSG SIZE rcvd: 90
kauer at karl:~$ dig mailergoat.rsi.co.jp aaaa
; <<>> DiG 9.7.1-P2 <<>> mailergoat.rsi.co.jp aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59506
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;mailergoat.rsi.co.jp. IN AAAA
;; Query time: 692 msec
;; SERVER: 192.168.1.35#53(192.168.1.35)
;; WHEN: Wed Apr 27 21:40:24 2011
;; MSG SIZE rcvd: 38
Asking gtm2 about nameservers for the domain:
kauer at karl:~$ dig @gtm2.rsi.co.jp mailergoat.rsi.co.jp ns
; <<>> DiG 9.7.1-P2 <<>> @gtm2.rsi.co.jp mailergoat.rsi.co.jp ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44302
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;mailergoat.rsi.co.jp. IN NS
;; AUTHORITY SECTION:
rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31
10800 3600 604800 60
;; Query time: 222 msec
;; SERVER: 202.25.214.15#53(202.25.214.15)
;; WHEN: Wed Apr 27 22:02:01 2011
;; MSG SIZE rcvd: 90
Asking gtm1 about nameservers for the domain:
kauer at karl:~$ dig @gtm1.rsi.co.jp mailergoat.rsi.co.jp ns
; <<>> DiG 9.7.1-P2 <<>> @gtm1.rsi.co.jp mailergoat.rsi.co.jp ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28074
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;mailergoat.rsi.co.jp. IN NS
;; AUTHORITY SECTION:
rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31
10800 3600 604800 60
;; Query time: 272 msec
;; SERVER: 202.214.41.51#53(202.214.41.51)
;; WHEN: Wed Apr 27 22:05:33 2011
;; MSG SIZE rcvd: 90
And in fact, only A and TXT records exist:
kauer at karl:~$ dig @gtm1.rsi.co.jp mailergoat.rsi.co.jp any
; <<>> DiG 9.7.1-P2 <<>> @gtm1.rsi.co.jp mailergoat.rsi.co.jp any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30639
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;mailergoat.rsi.co.jp. IN ANY
;; ANSWER SECTION:
mailergoat.rsi.co.jp. 600 IN A 202.214.41.103
mailergoat.rsi.co.jp. 600 IN TXT "v=spf1 a:mailergoat.rsi.co.jp ?all"
;; AUTHORITY SECTION:
rsi.co.jp. 500 IN NS gtm1.rsi.co.jp.
;; Query time: 264 msec
;; SERVER: 202.214.41.51#53(202.214.41.51)
;; WHEN: Wed Apr 27 22:06:19 2011
;; MSG SIZE rcvd: 120
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au) +61-2-64957160 (h)
http://www.biplane.com.au/kauer/ +61-428-957160 (mob)
GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110427/f8e82aac/attachment.bin>
More information about the bind-users
mailing list