SERVFAIL when looking up TXT from particular domain

Kevin Darcy kevin.darcy at fcagroup.com
Thu Jun 27 00:49:30 UTC 2019 

There's a huge amount of DNSSEC verbiage in the response to that query
(4931-byte response from the authoritative nameservers), when querying
with +dnssec. I'm guessing the resolver function of BIND might be having
trouble with DNSSEC validation. At least, that's a hypothesis. I'm not
familiar enough with the current BIND code to confirm/deny it.

                                                               - Kevin




On Wed, Jun 26, 2019 at 9:19 AM Dennis via bind-users <
bind-users at lists.isc.org> wrote:

> Hi List,
>
> When I try to resolve a TXT record cleanmail4.capgeminioutsourcing.nl
> I'll get a SERVFAIL. Asking Google seems to work though:
>
> rndc flush
>
> dig TXT cleanmail4.capgeminioutsourcing.nl @localhost
>
> ; <<>> DiG 9.10.3-P4-Debian <<>> TXT cleanmail4.capgeminioutsourcing.nl
> @localhost
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3652
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1024
> ;; QUESTION SECTION:
> ;cleanmail4.capgeminioutsourcing.nl. IN    TXT
>
> ;; Query time: 176 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Wed Jun 26 07:57:59 CDT 2019
> ;; MSG SIZE  rcvd: 63
>
> named -v
> BIND 9.10.3-P4-Debian <id:ebd72b3>
>
> This shows up in the log:
>
> fetch completed at ../../../lib/dns/resolver.c:5082 for
> cleanmail4.capgeminioutsourcing.nl/TXT in 0.176478: ran out of
> space/success [domain:capgeminioutsourcing.nl
> ,referral:2,restart:1,qrysent:2,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
>
>
> BIND is running in a debian 9 VM in default config. I spun up that vm
> after we discovered a BIND machine elsewhere with the same problem.
>
> Google gives an answer:
>
> ; <<>> DiG 9.10.3-P4-Debian <<>> TXT cleanmail4.capgeminioutsourcing.nl @
> 8.8.8.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58950
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;cleanmail4.capgeminioutsourcing.nl. IN    TXT
>
> ;; AUTHORITY SECTION:
> capgeminioutsourcing.nl. 899    IN    SOA    ns1.capgeminioutsourcing.nl.
> dns\.bnl.capgemini.com. 189324 28800 2880 2419200 900
>
> ;; Query time: 45 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Jun 26 08:04:51 CDT 2019
> ;; MSG SIZE  rcvd: 124
>
> There is no record but Google does not fail. I've checked the SOA and can
> resolve the NS records. I'm overlooking something, but what?
>
>
>
> Cheers,
>
> Dennis
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190626/fe3bebb3/attachment.html>

More information about the bind-users mailing list