BIND9 SERVFAIL on some .gov addresses

Chuck Swiger cswiger at mac.com
Thu Feb 10 21:19:21 UTC 2011


On Feb 10, 2011, at 12:39 PM, Ryan Novosielski wrote:
> health.nyc.gov query-errors:
> 
> 10-Feb-2011 15:32:30.682 query-errors: debug 1: client
> 130.219.34.129#55935: query failed (SERVFAIL) for health.nyc.gov/IN/MX
> at query.c:4630
> 10-Feb-2011 15:32:30.682 query-errors: debug 2: fetch completed at
> resolver.c:3057 for health.nyc.gov/MX in 0.000046: failure/success
> [domain:nyc.GOV,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0

The adberr count looks like it can only be incremented by two code sections in lib/dns/resolver.c:

        if (result != ISC_R_SUCCESS) {
                if (result == DNS_R_ALIAS) {
                        /*
                         * XXXRTH  Follow the CNAME/DNAME chain?
                         */
                        dns_adb_destroyfind(&find);
                        fctx->adberr++;
                }
        }

[ ...and... ]

                        if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0)
                                fctx->lamecount++; /* cached lame server */
                        else
                                fctx->adberr++; /* unreachable server, etc. */

This implies a connectivity issue between your client and the nyc.gov nameservers, I think.
But there are local wizards lurking who are much more familiar with the code than I....

For the other example:

>  resolver.c:3178 for idphdomain.idph.state.ia.us/MX in 30.000069: timed
> out/success [domain:idphdomain.
> idph.state.ia.us,referral:3,restart:4,qrysent:20,timeout:19,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]


I get no response either.  I'd imagine a delegation problem somewhere in the list of domains, although if you poke around, you can find servers which will answer and claim no MX records exist:

% dig -t ns idphdomain.idph.state.ia.us @dns1.uiowa.edu

; <<>> DiG 9.6.3 <<>> -t ns idphdomain.idph.state.ia.us @dns1.uiowa.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38483
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;idphdomain.idph.state.ia.us.	IN	NS

;; AUTHORITY SECTION:
idph.state.ia.us.	28800	IN	NS	cyclone.idph.state.ia.us.
idph.state.ia.us.	28800	IN	NS	hawkeye.idph.state.ia.us.
idph.state.ia.us.	28800	IN	NS	panther.idph.state.ia.us.
[ ... ]

% dig -t mx idphdomain.idph.state.ia.us @cyclone.idph.state.ia.us

; <<>> DiG 9.6.3 <<>> -t mx idphdomain.idph.state.ia.us @cyclone.idph.state.ia.us
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58256
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;idphdomain.idph.state.ia.us.	IN	MX

;; AUTHORITY SECTION:
idphdomain.idph.state.ia.us. 86400 IN	NS	idphadc4.idphdomain.idph.state.ia.us.
idphdomain.idph.state.ia.us. 86400 IN	NS	w2k8dc1.idphdomain.idph.state.ia.us.
idphdomain.idph.state.ia.us. 86400 IN	NS	w2k8dc2.idphdomain.idph.state.ia.us.
idphdomain.idph.state.ia.us. 86400 IN	NS	idphadc1.idphdomain.idph.state.ia.us.
idphdomain.idph.state.ia.us. 86400 IN	NS	idphadc2.idphdomain.idph.state.ia.us.
idphdomain.idph.state.ia.us. 86400 IN	NS	idphadc3.idphdomain.idph.state.ia.us.
[ ... ]

Regards,
-- 
-Chuck




More information about the bind-users mailing list