intermittent SERVFAIL with a DLV domain
Tony Finch
dot at dotat.at
Wed Dec 23 12:14:09 UTC 2015
I have a couple of recursive servers running 9.10.3-P2 which are
intermittently returning SERVFAIL responses for queries under
a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa. This domain is in dlv.isc.org; its
parent is unsigned but seems to be DNSSEC-aware - the servers set DO and
give the correct authority for DS nodata responses.
http://dnsviz.net/d/a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/dnssec/
One of my servers is currently in the broken state. named_dump.db has
; Bad cache
;
; a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/DS [ttl 429219]
The TTL here is misleading - unlike other TTLs it is in milliseconds, so
it is more reasonable than it appears to be.
Based on reading the code, I think there are two ways for entries to get
into the bad cache: either the nameservers have no addresses or there is a
problem with the trust chain. I think the following cache entries rule the
first one out:
; glue
ns0.ai270.NET. 26445 A 94.126.40.2
; glue
ns1.ai270.NET. 26445 A 213.133.150.9
In the second case the name server addresses get added to a bad list.
Ah, but I have turned off lame server logging so I don't have a copy of
the relevant log line; I shall change that.
Anyone have any more clues about what might be going wrong?
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Malin, Hebrides: South or southwest 7 to severe gale 9, occasionally storm 10
later. Very rough or high, occasionally very high later. Rain or showers.
Moderate, occasionally poor.
More information about the bind-users
mailing list