BIND9 SERVFAIL on some .gov addresses

Fri Feb 11 18:21:28 UTC 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/10/2011 04:19 PM, Chuck Swiger wrote:
> On Feb 10, 2011, at 12:39 PM, Ryan Novosielski wrote:
>> health.nyc.gov query-errors:
>>
>> 10-Feb-2011 15:32:30.682 query-errors: debug 1: client
>> 130.219.34.129#55935: query failed (SERVFAIL) for health.nyc.gov/IN/MX
>> at query.c:4630
>> 10-Feb-2011 15:32:30.682 query-errors: debug 2: fetch completed at
>> resolver.c:3057 for health.nyc.gov/MX in 0.000046: failure/success
>> [domain:nyc.GOV,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0
> 
> The adberr count looks like it can only be incremented by two code sections in lib/dns/resolver.c:
> 
>         if (result != ISC_R_SUCCESS) {
>                 if (result == DNS_R_ALIAS) {
>                         /*
>                          * XXXRTH  Follow the CNAME/DNAME chain?
>                          */
>                         dns_adb_destroyfind(&find);
>                         fctx->adberr++;
>                 }
>         }
> 
> [ ...and... ]
> 
>                         if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0)
>                                 fctx->lamecount++; /* cached lame server */
>                         else
>                                 fctx->adberr++; /* unreachable server, etc. */
> 
> This implies a connectivity issue between your client and the nyc.gov nameservers, I think.
> But there are local wizards lurking who are much more familiar with the code than I....

It is starting to appear as if this is an issue relating to EDNS, though
I can't see specifically how. It does not appear to even be a size
related issue, but instead possibly something to do with packet
fragmentation. I built a BIND 9.6.2 server on a CentOS VM -- works fine
off our network (connected via Verizon Wireless), but does not work on
campus.

What I don't quite understand is why querying say 8.8.8.8 with a copy of
dig on our network would work. Isn't the same thing ultimately going to
have to pass through the same place in our firewall/network eventually
whether it's a nameserver asking for it or a client?

- -- 
- ---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1VfigACgkQmb+gadEcsb6i8gCgm2YnVtwVFTycUKK/JQgM9eTP
6WoAnAuZ31BQR4+xdWbyc9+tur1joI9i
=CIn8
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: novosirj.vcf
Type: text/x-vcard
Size: 301 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110211/f04b3090/attachment.vcf>