SERVFAIL on a CNAME, but NOERROR when querying the CNAME itself

Laurent Bauer l.bauer at mailclub.fr
Thu Jun 30 09:13:00 UTC 2011


	Hello,

I have a problem resolving "manage.logicboxes.com" with bind. I tried
versions 9.7.3, 9.7.1-P2 and 9.6-ESV-R1, all of them return a SERVFAIL
with a pretty long query time :

; <<>> DiG 9.7.1-P2 <<>> manage.logicboxes.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 13208
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;manage.logicboxes.com.		IN	A

;; Query time: 1246 msec

Same error with "+cd" (there are no DS or signatures anywhere in the
related zones anyway, except for .com)
But "dig +trace" returns the correct CNAME as an answer :
  manage.logicboxes.com. 14400 IN CNAME www.myorderbox.com.
as do every authoritative NS when querying them separately.
Also, bind resolves the CNAME itself.

Here are some debug messages, I am not sure what they exactly mean
(particularly the "failure/success" part) :

30-Jun-2011 10:25:23.586 query-errors: debug 1: client
192.168.1.125#45637: query failed (SERVFAIL) for
manage.logicboxes.com/IN/A at query.c:4651
30-Jun-2011 10:25:23.587 query-errors: debug 2: fetch completed at
resolver.c:3088 for manage.logicboxes.com/A in 1.247324: failure/success
[domain:logicboxes.com,referral:0,restart:2,qrysent:12,timeout:0,lame:0,neterr:0,badresp:12,adberr:0,findfail:0,valfail:0]

Some other resolvers (opendns, google) return the expected answer :
; <<>> DiG 9.7.1-P2 <<>> manage.logicboxes.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8347
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;manage.logicboxes.com.		IN	A

;; ANSWER SECTION:
manage.logicboxes.com.	12110	IN	CNAME	www.myorderbox.com.
www.myorderbox.com.	84110	IN	A	67.15.47.4

Is bind less tolerant about some kind of setup mistake (which I don't
get, anyway) ?
I checked "logicboxes.com" with zonecheck, which fails because the NS IP
addresses are not unique (and also some warnings about refresh/retry
values and NS not answering to ICMP requests) but I don't think that
explains my problem.

Last question : is it OK that the primary server in the SOA field is
just "." ?
  logicboxes.com. 86400 IN SOA . hostmaster.logicboxes.com. 6 900 300
864000 600

Thanks for helping

	Laurent



More information about the bind-users mailing list