Forward zone giving SERVFAIL

Thu Nov 28 03:27:47 UTC 2013

Hello:

I set up a forward zone in the internal view of my named.conf:

view internal {
        match-clients {
                127.0.0.1;
                };
        recursion yes;
        allow-query-cache { any; };
        zone "dnsbl" {
                type forward;
                forwarders {
                        127.0.0.1 port 54;
                        };
                forward only;
                };
        };

When I run dig against the forward zone:
dig -p 54 @127.0.0.1 2.0.0.127.zen.dnsbl

It gives me the expected output:
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -p 54 @127.0.0.1
2.0.0.127.zen.dnsbl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57571
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;2.0.0.127.zen.dnsbl.           IN      A

;; ANSWER SECTION:
2.0.0.127.zen.dnsbl.    300     IN      A       127.0.0.2
2.0.0.127.zen.dnsbl.    300     IN      A       127.0.0.10
2.0.0.127.zen.dnsbl.    300     IN      A       127.0.0.4

;; Query time: 1 msec
;; SERVER: 127.0.0.1#54(127.0.0.1)
;; WHEN: Wed Nov 27 21:24:45 2013
;; MSG SIZE  rcvd: 85

But, when I run dig against bind:
dig -p 53 @127.0.0.1 2.0.0.127.zen.dnsbl

I get a SERVFAIL response:
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -p 53 @127.0.0.1
2.0.0.127.zen.dnsbl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46895
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;2.0.0.127.zen.dnsbl.           IN      A

;; Query time: 144 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 27 21:25:50 2013
;; MSG SIZE  rcvd: 37

Taking a look at /var/named/data/named.run, I see these lines:
error (chase DS servers) resolving 'zen.dnsbl/DS/IN': 127.0.0.1#54
error (unexpected RCODE REFUSED) resolving 'dnsbl/NS/IN': 127.0.0.1#54
error (no valid DS) resolving '2.0.0.127.zen.dnsbl/A/IN': 127.0.0.1#54

I am not sure what to make of this.

Anyone have any ideas?

Thanks,
  Neil

--
Neil Aggarwal, (972) 834-1565
We lend money to investors to buy or refinance single family rent houses.
No origination fees, quick approval, no credit check.