Stumped - SERVFAIL vs NOERROR?

Mark Andrews marka at isc.org
Wed Apr 27 13:40:42 UTC 2011


In message <1303906294.2246.93.camel at karl>, Karl Auer writes:
> 
> Hi all.
> 
> Well, I'm stumped.
> 
> This is causing non-delivery of mail for the affected domain because it
> is blocking fallback from IPv6 to IPv4 for the domain. The problem
> smells like misconfigured IPv6 somewhere along the way, but all the
> servers involved (that have IPv6 addresses) seem to be answering OK.

The SMTP server will be failing on the MX lookup if it is following
the RFCs.  A and AAAA should only be looked up after getting a
NODATA response to a MX query.

> Using our local caching, recursive BIND9 nameservers, we get SERVFAIL on
> a particular domain, namely "mailergoat.rsi.co.jp". But from other
> places, we get NOERROR (which is the correct answer, because there is a
> A record with that name). However, from some places outside our network
> we also get SERVFAIL.

The nameservers for mailergoat.rsi.co.jp are broken.  They return
the *wrong* SOA record in the response which can clearly be seen at
the end of a "dig +trace mailergoat.rsi.co.jp mx".

mailergoat.rsi.co.jp.	600	IN	NS	gtm1.rsi.co.jp.
mailergoat.rsi.co.jp.	600	IN	NS	gtm2.rsi.co.jp.
;; Received 108 bytes from 202.248.0.34#53(ns.center.web.ad.jp) in 304 ms

rsi.co.jp.		60	IN	SOA	gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60
;; Received 90 bytes from 202.25.214.15#53(gtm2.rsi.co.jp) in 395 ms

The correct SOA record would be "mailergoat.rsi.co.jp 60 IN SOA
gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60"
all other things being equal.

> Traces (using the +trace option to dig) are identical regardless of
> where we do them, besides some reordering of the nameserver results,
> which is normal.
> 
> One oddity (at least it seems odd to me) is that a trace ends with two
> nameservers, gtm1.rsi.co.jp and gtm2.rsi.co.jp, that are not present in
> the nameserver list for rsi.co.jp, meaning that the domain
> mailergoat.rsi.co.jp has been delegated to them. When I ask either of
> those servers directly for the nameserver records for
> mailergoat.rsi.co.jp, I get NOERROR, but no answer. Asking those servers
> for "ANY" records for that name shows an A record and a TXT (SPF) record
> only. That makes this a lame delegation - but why do some recursive
> nameservers report it as SERVFAIL and some as NOERROR? A difference
> between nameservers, or nameserver versions?

Different tolerances for errors.

Adding a MX record here will help.  One really shouldn't be depending
apon the implicit MX records generated from the A and AAAA records.

> Any ideas gratefully received. See below for dig outputs demonstrating
> the above statements.
> 
> Regards, K.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list