intermittent SERVFAIL with a DLV domain

Tony Finch dot at
Wed Dec 23 12:14:09 UTC 2015

I have a couple of recursive servers running 9.10.3-P2 which are
intermittently returning SERVFAIL responses for queries under This domain is in; its
parent is unsigned but seems to be DNSSEC-aware - the servers set DO and
give the correct authority for DS nodata responses.

One of my servers is currently in the broken state. named_dump.db has

; Bad cache
; [ttl 429219]

The TTL here is misleading - unlike other TTLs it is in milliseconds, so
it is more reasonable than it appears to be.

Based on reading the code, I think there are two ways for entries to get
into the bad cache: either the nameservers have no addresses or there is a
problem with the trust chain. I think the following cache entries rule the
first one out:

; glue
ns0.ai270.NET.          26445   A
; glue
ns1.ai270.NET.          26445   A

In the second case the name server addresses get added to a bad list.
Ah, but I have turned off lame server logging so I don't have a copy of
the relevant log line; I shall change that.

Anyone have any more clues about what might be going wrong?

f.anthony.n.finch  <dot at>
Malin, Hebrides: South or southwest 7 to severe gale 9, occasionally storm 10
later. Very rough or high, occasionally very high later. Rain or showers.
Moderate, occasionally poor.

More information about the bind-users mailing list