servfail only for a zone

John Miller johnmill at brandeis.edu
Mon Jul 13 18:47:06 UTC 2015


On Mon, Jul 13, 2015 at 2:15 PM, Lucio Crusca <lucio at sulweb.org> wrote:

>
> You have been persuasive enough, I'm definitely going to raise the expire
> value, but now the question is: are the SERVFAIL replies a consequence of
> the low expire value?
>

It doesn't help your cause _at_all_.  There could be a few reasons why
you're getting SERVFAIL responses from your second nameserver, but the zone
being expired is the most likely.  Check everything:

- physical connectivity between ns2 and ns1
- zone transfer settings (allow-transfer, allow-notify, TSIG settings and
keys, etc.)

A sample troubleshooting sequence run from ns2 might look something like:

- Can you ping ns1 from ns2?
- Can you query ns1 (dig @ns1) from ns2?
- Can you do a manual zone transfer from ns1 to ns2: dig @ns1
aquilacorde.com AXFR
- If you're using TSIG for your zone transfers, you'll need to set the
appropriate options in dig.
- On ns2, can you run "rndc reload" on aquilacorde.com?  What do your logs
say when you do this?
- What happens when you increment the zone's serial number on ns1?  Does
ns1 automatically send a NOTIFY?
- If you're able (there aren't other zones to worry about), what happens
when you restart BIND on ns2?  What do the logs say?

If you've done most of these troubleshooting steps, you'll know whether you
have:
- basic network connectivity
- basic DNS connectivity (UDP port 53)
- DNS zone transfer connectivity (TCP port 53; AXFR uses TCP)
- DNS zone transfer ability
- useful logging

and... CHANGE YOUR EXPIRE VALUE NOW!!

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150713/169d0b56/attachment-0001.html>


More information about the bind-users mailing list