BIND9 SERVFAIL Issue with Windows 2008 R2 DNS Server

Spain, Dr. Jeffry A. spainj at countryday.net
Sun Jul 7 01:33:32 UTC 2013


> Looking at this further, it appears when EDNS is turned on in the Windows 2008 R2 DNS server (default, accepting DNSSEC responses), resolution fails occasionally with a SERVFAIL when NODATA is returned to BIND (i.e. 0 answers with a status code of NOERROR.)

I'm using Windows Server 2012 DNS with BIND 9.9.3 forwarders, and can't reproduce the issue. I tested "dig mx2.comcast.com srv +dnssec" and "dig bat.comcast.com srv +dnssec" against a Windows domain controller (simon) and its BIND 9.9.3 forwarder (nr1). All four queries, shown below, returned NOERROR. Perhaps this will provide you a useful basis for comparison in any event.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

--------------------

Windows PowerShell
Copyright (C) 2012 Microsoft Corporation. All rights reserved.

PS C:\> dig '@simon' mx2.comcast.com srv +dnssec

; <<>> DiG 9.9.3 <<>> @simon mx2.comcast.com srv +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1927
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;mx2.comcast.com.               IN      SRV

;; AUTHORITY SECTION:
comcast.com.            899     IN      SOA     dns101.comcast.net. domregtech.comcastonline.com. 2009085823 7200 3600 1
209600 3600
comcast.com.            899     IN      RRSIG   SOA 5 2 3600 20130711200520 20130704170020 2643 comcast.com. Te6jKcUXakW
pPGQYpZICPShPZYEHHEcCnfFoof6VfOLPhhQP5MlWMbni QSQTY1UZLLCqU0j2U5n48wAMrSLSXoye+9W+pFnHtSl00fCQoQJ2ts+x DDQkdcJo2jWhNHGr6
zsP6y9clhLUkFRW7ZVdqCV62KtTumU8Qe4UOjNK R3s=
mx2.comcast.com.        899     IN      NSEC    mx3.comcast.com. A RRSIG NSEC

;; Query time: 31 msec
;; SERVER: 2001:4870:20ca:158:2c59:7bdf:ab15:4270#53(2001:4870:20ca:158:2c59:7bdf:ab15:4270)
;; WHEN: Sat Jul 06 21:12:35 Eastern Daylight Time 2013
;; MSG SIZE  rcvd: 331

PS C:\> dig '@nr1' mx2.comcast.com srv +dnssec

; <<>> DiG 9.9.3 <<>> @nr1 mx2.comcast.com srv +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38367
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mx2.comcast.com.               IN      SRV

;; AUTHORITY SECTION:
mx2.comcast.com.        2173    IN      RRSIG   NSEC 5 3 3600 20130711200520 20130704170020 2643 comcast.com. pmOHJX7dSN
uFSRiFvxNIIuhQk/Sh6/9xSiZ2wj2I6RDKkrQlDScdFjDB nSpeWt9068Wq+aQE36dbTsvyyCKgtrPcJIUxKVCtsXzTavXdx9XVGwG9 cKF6TrQx+MGPRwRw
jPorDmPJxImveGMeE7X4Nl1mkGk/lRJwbvk1yFWV w1w=
mx2.comcast.com.        2173    IN      NSEC    mx3.comcast.com. A RRSIG NSEC
comcast.com.            2173    IN      SOA     dns101.comcast.net. domregtech.comcastonline.com. 2009085823 7200 3600 1
209600 3600
comcast.com.            2173    IN      RRSIG   SOA 5 2 3600 20130711200520 20130704170020 2643 comcast.com. Te6jKcUXakW
pPGQYpZICPShPZYEHHEcCnfFoof6VfOLPhhQP5MlWMbni QSQTY1UZLLCqU0j2U5n48wAMrSLSXoye+9W+pFnHtSl00fCQoQJ2ts+x DDQkdcJo2jWhNHGr6
zsP6y9clhLUkFRW7ZVdqCV62KtTumU8Qe4UOjNK R3s=

;; Query time: 46 msec
;; SERVER: 2001:4870:20ca:158:8c2f:b9ff:31f7:3836#53(2001:4870:20ca:158:8c2f:b9ff:31f7:3836)
;; WHEN: Sat Jul 06 21:12:46 Eastern Daylight Time 2013
;; MSG SIZE  rcvd: 502

PS C:\> dig '@simon' bat.comcast.com srv +dnssec

; <<>> DiG 9.9.3 <<>> @simon bat.comcast.com srv +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26028
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;bat.comcast.com.               IN      SRV

;; AUTHORITY SECTION:
comcast.com.            900     IN      SOA     dns101.comcast.net. domregtech.comcastonline.com. 2009085823 7200 3600 1
209600 3600
comcast.com.            900     IN      RRSIG   SOA 5 2 3600 20130711200520 20130704170020 2643 comcast.com. Te6jKcUXakW
pPGQYpZICPShPZYEHHEcCnfFoof6VfOLPhhQP5MlWMbni QSQTY1UZLLCqU0j2U5n48wAMrSLSXoye+9W+pFnHtSl00fCQoQJ2ts+x DDQkdcJo2jWhNHGr6
zsP6y9clhLUkFRW7ZVdqCV62KtTumU8Qe4UOjNK R3s=
awrelaypool02.comcast.com. 900  IN      NSEC    www.bat.comcast.com. A RRSIG NSEC

;; Query time: 62 msec
;; SERVER: 2001:4870:20ca:158:2c59:7bdf:ab15:4270#53(2001:4870:20ca:158:2c59:7bdf:ab15:4270)
;; WHEN: Sat Jul 06 21:13:18 Eastern Daylight Time 2013
;; MSG SIZE  rcvd: 349

PS C:\> dig '@nr1' bat.comcast.com srv +dnssec

; <<>> DiG 9.9.3 <<>> @nr1 bat.comcast.com srv +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60015
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bat.comcast.com.               IN      SRV

;; AUTHORITY SECTION:
comcast.com.            3583    IN      SOA     dns101.comcast.net. domregtech.comcastonline.com. 2009085823 7200 3600 1
209600 3600
comcast.com.            3583    IN      RRSIG   SOA 5 2 3600 20130711200520 20130704170020 2643 comcast.com. Te6jKcUXakW
pPGQYpZICPShPZYEHHEcCnfFoof6VfOLPhhQP5MlWMbni QSQTY1UZLLCqU0j2U5n48wAMrSLSXoye+9W+pFnHtSl00fCQoQJ2ts+x DDQkdcJo2jWhNHGr6
zsP6y9clhLUkFRW7ZVdqCV62KtTumU8Qe4UOjNK R3s=
awrelaypool02.comcast.com. 3583 IN      RRSIG   NSEC 5 3 3600 20130711200520 20130704170020 2643 comcast.com. U87nbvAj7j
7pAk4kigqMyVy8XDeHqRP9756PTQsucrRTEchtScfBKWLl Eo7cWJc4Vcsfept+ixg0IiAxpwHATqwNTmq/giAeglFfeFmMHlXrhdOl Bl5myReo1gSXlpm0
+bvinOFRek/MUlYGLvDAq17noJag2k1oXrvhaNBo qWo=
awrelaypool02.comcast.com. 3583 IN      NSEC    www.bat.comcast.com. A RRSIG NSEC

;; Query time: 46 msec
;; SERVER: 2001:4870:20ca:158:8c2f:b9ff:31f7:3836#53(2001:4870:20ca:158:8c2f:b9ff:31f7:3836)
;; WHEN: Sat Jul 06 21:13:36 Eastern Daylight Time 2013
;; MSG SIZE  rcvd: 520



More information about the bind-users mailing list