SERVFAIL with ocsp.entrust.net.

Bischof, Ralph F. (MSFC-IS40)[NICS] ralph.bischof at nasa.gov
Tue Apr 24 15:10:36 UTC 2012



> -----Original Message-----
> From: bind-users-bounces+ralph.bischof=nasa.gov at lists.isc.org
> [mailto:bind-users-bounces+ralph.bischof=nasa.gov at lists.isc.org] On Behalf
> Of Barry Margolin
> Sent: Tuesday, April 24, 2012 9:37 AM
> To: comp-protocols-dns-bind at isc.org
> Subject: Re: SERVFAIL with ocsp.entrust.net.
> 
> In article <mailman.576.1335276428.63724.bind-users at lists.isc.org>,
>  "Bischof, Ralph F. (MSFC-IS40)[NICS]" <ralph.bischof at nasa.gov> wrote:
> 
> > Hello,
> >
> > 	I have been trying to find out why my caching servers are giving
> > SERVFAIL as an answer for any type of query except for an A record for
> > the domain in the subject. Whether I try a AAAA, TXT, SOA, PTR, TXT,
> > etc, I get a SERVFAIL answer. Yet, it seems that anyone else in the
> > world is getting NOERROR. Now, when I direct the query to the
> > Microsoft DNS servers (8.8.8.8), I also get NOERROR. I have tried
> > different versions of clients (9.4.3-P5 and
> > 9.6-ESV-R4-P3) and get the same response, so I do not think that is
> > the issue.
> 
> 8.8.8.8 is Google Public DNS, nothing to do with Microsoft.

Oops. Had MS on the mind. I honestly meant Google. 

> >
> > 	When I use a 'dig +trace', the end of the chain shows a server that
> > does not exist in the last answer consisting of the SOA record. In
> > fact, since Sungard is involved, the whole chain makes no sense to me.
> > I have edited out the extra stuff, but here is what I try to do.
> 
> They're delegating the ocsp.entrust.net subdomain to gnsX.sungardns.com,
> but those machines are configured to be authoritative for the entire
> entrust.net zone.  But they have different contents than the real entrust.net
> zone.  This is causing confusion in caching servers, because negative
> responses (like the NOANSWER response to AAAA queries) have the wrong
> domain in the authority section.

Right. I have tried to explain this to both Sungard and Entrust. I don't understand how this works. Would you agree that this is a misconfiguration?
> 
> >
> > First, here is the 'dig +trace' with an A query. I left out the list
> > of the root and gtld servers.
> > [bischrf at nsc1 ~]$ dig +trace ocsp.entrust.net. a ;; Received 300 bytes
> > from 192.149.130.101#53(192.149.130.101) in 0 ms ;; Received 491 bytes
> > from 192.5.5.241#53(f.root-servers.net) in 26 ms
> >
> > entrust.net.            172800  IN      NS      secondary-ns1.allstream.com.
> > entrust.net.            172800  IN      NS      secondary-ns2.allstream.com.
> > entrust.net.            172800  IN      NS      ns1.entrust.net.
> > entrust.net.            172800  IN      NS      ns2.entrust.net.
> > ;; Received 203 bytes from 192.42.93.30#53(g.gtld-servers.net) in 115
> > ms
> >
> > ocsp.entrust.net.       7200    IN      NS      gns1.sungardns.com.
> > ocsp.entrust.net.       7200    IN      NS      gns2.sungardns.com.
> > ;; Received 85 bytes from
> > 216.13.122.23#53(secondary-ns1.allstream.com) in
> > 120 ms
> >
> > ocsp.entrust.net.       30      IN      A       216.191.247.139
> > ;; Received 50 bytes from 207.19.96.22#53(gns1.sungardns.com) in 109
> > ms
> > ------------------------
> > Then a 'dig +trace' looking for the AAAA record.
> > [bischrf at nsc1 ~]$ dig +trace ocsp.entrust.net. aaaa ;; Received 344
> > bytes from 192.149.130.101#53(192.149.130.101) in 0 ms ;; Received 491
> > bytes from 199.7.83.42#53(l.root-servers.net) in 160 ms
> >
> > entrust.net.            172800  IN      NS      secondary-ns1.allstream.com.
> > entrust.net.            172800  IN      NS      secondary-ns2.allstream.com.
> > entrust.net.            172800  IN      NS      ns1.entrust.net.
> > entrust.net.            172800  IN      NS      ns2.entrust.net.
> > ;; Received 203 bytes from 192.26.92.30#53(c.gtld-servers.net) in 34
> > ms
> >
> > ocsp.entrust.net.       7200    IN      NS      gns1.sungardns.com.
> > ocsp.entrust.net.       7200    IN      NS      gns2.sungardns.com.
> > ;; Received 85 bytes from 216.191.247.202#53(ns2.entrust.net) in 125
> > ms
> >
> > entrust.net.            60      IN      SOA     phlig3.oamp.sgns.net.
> > hostmaster.phlig3.oamp.sgns.net. 42 10800 3600 604800 60 ;; Received
> > 98 bytes from 207.19.96.22#53(gns1.sungardns.com) in 111 ms
> > NOTE: phlig3.oamp.sgns.net does not exist.
> > ----------------------------------
> >
> > Here is the query that works.
> > [bischrf at nsc1 ~]$ dig ocsp.entrust.net. a
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29329 ;; flags: qr
> > rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> >
> > ;; ANSWER SECTION:
> > ocsp.entrust.net.       24      IN      A       216.191.247.203
> >
> > ;; AUTHORITY SECTION:
> > ocsp.entrust.net.       1675    IN      NS      gns1.sungardns.com.
> > ocsp.entrust.net.       1675    IN      NS      gns2.sungardns.com.
> > ---------------------------
> >
> > Now a AAAA query. Note there is no authority.
> > [bischrf at nsc1 ~]$ dig ocsp.entrust.net. aaaa
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20073 ;; flags:
> > qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > --------------------------
> >
> > So now I try to follow the chain.
> > 1) Query entrust.net. for the NS records. I get 4.
> > [bischrf at nsc1 ~]$ dig entrust.net. ns
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17958 ;; flags: qr
> > rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
> >
> > ;; ANSWER SECTION:
> > entrust.net.            1617    IN      NS      ns2.entrust.net.
> > entrust.net.            1617    IN      NS      secondary-ns1.allstream.com.
> > entrust.net.            1617    IN      NS      ns1.entrust.net.
> > entrust.net.            1617    IN      NS      secondary-ns2.allstream.com.
> > ---------------------
> >
> > 2) I pick one of those and ask for the NS records for ocsp.entrust.net.
> > [bischrf at nsc1 ~]$ dig @ns1.entrust.net. ocsp.entrust.net. ns
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7029 ;; flags: qr
> > rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0 ;; WARNING:
> > recursion requested but not available
> >
> > ;; AUTHORITY SECTION:
> > ocsp.entrust.net.       7200    IN      NS      gns1.sungardns.com.
> > ocsp.entrust.net.       7200    IN      NS      gns2.sungardns.com.
> > ----------------------
> >
> > 3) I pick one of those and try a AAAA query.
> > [bischrf at nsc1 ~]$ dig @gns1.sungardns.com. ocsp.entrust.net. aaaa
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4292 ;; flags: qr
> > aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING:
> > recursion requested but not available
> >
> > ;; AUTHORITY SECTION:
> > entrust.net.            60      IN      SOA     phlig3.oamp.sgns.net.
> > hostmaster.phlig3.oamp.sgns.net. 42 10800 3600 604800 60
> > ------------------------------
> >
> > Note above that I do get an authority, yet the MNAME does not exist.
> > In fact, when I direct a query to the Microsoft DNS server for the
> > record
> 
> MNAME is not involved in resolving names, so why does this matter?  For
> most domains, MNAME can be ignored entirely.

I am pulling at straws. A thought that I had is that the MNAME in the SOA for entrust.net. was being inserted into my cache for an NS record, therefore the caching server tries to go to the nonexistent server for AAAA resolution. Okay, it was a very longshot. :-)  
> 
> > "phlig3.oamp.sgns.net", I get a SERVFAIL.
> > [bischrf at nsc1 ~]$ dig @8.8.8.8 phlig3.oamp.sgns.net.
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58650 ;; flags:
> > qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> >  -------------------------------
> >
> > So I try to find what is up with that record and I end up with a dead
> > end at the NS records for oamp.sgns.net. I find the NS records, but I
> > cannot get an IP for either one of them.
> > [bischrf at nsc1 ~]$ dig sgns.net. ns
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19454 ;; flags: qr
> > rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> >
> > ;; ANSWER SECTION:
> > sgns.net.               1779    IN      NS      ns2.sungardns.com.
> > sgns.net.               1779    IN      NS      ns1.sungardns.com.
> >  -------------------------------------------
> >  [bischrf at nsc1 ~]$ dig @ns2.sungardns.com. oamp.sgns.net. ns
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64087 ;; flags: qr
> > rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0 ;; WARNING:
> > recursion requested but not available
> >
> > ;; AUTHORITY SECTION:
> > oamp.sgns.net.          3600    IN      NS      phlnn1.oamp.sgns.net.
> > oamp.sgns.net.          3600    IN      NS      hounn1.oamp.sgns.net.
> > ------------------------------
> > [bischrf at nsc1 ~]$ dig @ns2.sungardns.com. phlnn1.oamp.sgns.net.
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25825 ;; flags: qr
> > rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0 ;; WARNING:
> > recursion requested but not available
> >
> > ;; AUTHORITY SECTION:
> > oamp.sgns.net.          3600    IN      NS      phlnn1.oamp.sgns.net.
> > oamp.sgns.net.          3600    IN      NS      hounn1.oamp.sgns.net.
> >  -------------------------------------
> > [bischrf at nsc1 ~]$ dig @ns2.sungardns.com. hounn1.oamp.sgns.net.
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56868 ;; flags: qr
> > rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0 ;; WARNING:
> > recursion requested but not available
> >
> > ;; AUTHORITY SECTION:
> > oamp.sgns.net.          3600    IN      NS      phlnn1.oamp.sgns.net.
> > oamp.sgns.net.          3600    IN      NS      hounn1.oamp.sgns.net.
> >  ---------------------------
> >
> > 	I did talk with both Sungard and Entrust on what I found and they
> > sent me an email that they fixed "something" last night. How can I
> > troubleshoot more why my servers are reporting SERVFAIL for any non-A
> > types for this domain where it seems that everyone else in the world
> > is getting NOERROR? Thank you for reading this far and any help that you
> can provide.
> >
> >
> > Thank you,
> > Ralph F. Bischof, Jr.
> > NASA Agency IPAM/DNS/DHCP
> > SAIC/NICS
> > 256-544-3982
> 
> --
> Barry Margolin
> Arlington, MA
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


Thank you,
Ralph F. Bischof, Jr.
NASA Agency IPAM/DNS/DHCP
SAIC/NICS
256-544-3982






More information about the bind-users mailing list