My bind 9.18.30 has many query-errors , turned on debug 3 but don't understand the debug log meaning
Cowbay
cowbay2022 at box.phasebulk.cloudns.nz
Tue Sep 24 13:26:10 UTC 2024
Hi,
I found this kind of query-errors
referral:1,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0
-----8<-----8<-----8<-----
Sep 24 20:22:23 cow named[8034]: queries: info: client @0x7fb13f0168 192.168.38.49#50058 (shavar.services.mozilla.com): query: shavar.services.mozilla.com IN A + (192.168.38.1)
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: shavar.services.mozilla.com/A
Sep 24 20:22:23 cow named[8034]: queries: info: client @0x7fb65ec168 192.168.38.49#62908 (content-signature-2.cdn.mozilla.net): query: content-signature-2.cdn.mozilla.net IN A + (192.168.38.1)
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: content-signature-2.cdn.mozilla.net/A
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: mozilla.net/NS
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: shavar.prod.mozaws.net/A
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: cdn.mozilla.net/NS
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: mozilla.net/DS
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: content-signature-chains.prod.autograph.services.mozaws.net/A
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: services.mozaws.net/NS
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: autograph.services.mozaws.net/NS
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-283.awsdns-35.com/A
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-283.awsdns-35.com/AAAA
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-631.awsdns-14.net/A
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-631.awsdns-14.net/AAAA
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-1136.awsdns-14.org/A
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-1136.awsdns-14.org/AAAA
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-1973.awsdns-54.co.uk/A
Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-1973.awsdns-54.co.uk/AAAA
Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-495.awsdns-61.com/A
Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-495.awsdns-61.com/AAAA
Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-806.awsdns-36.net/A
Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-806.awsdns-36.net/AAAA
Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-1483.awsdns-57.org/A
Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-1483.awsdns-57.org/AAAA
Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-1689.awsdns-19.co.uk/A
Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-1689.awsdns-19.co.uk/AAAA
Sep 24 20:22:24 cow named[8034]: query-errors: info: client @0x7fb65ec168 192.168.38.49#62908 (content-signature-2.cdn.mozilla.net): query failed (SERVFAIL) for content-signature-2.cdn.mozilla.net/IN/A at query.c:7837
Sep 24 20:22:24 cow named[8034]: query-errors: debug 2: fetch completed at resolver.c:4144 for content-signature-chains.prod.autograph.services.mozaws.net/A in 0.551997: SERVFAIL/success [domain:prod.autograph.services.mozaws.net,referral:1,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
-----8<-----8<-----8<-----
According to the document[1], resolver had 1 referral received and 1 cycle the resolver tried and at least sent one query. But I don't understand why the qrysent is 0 ?
This kind of query-errors would happen on other domains.
My environment is a Raspberry Pi 4 with old Debian 10 linux. I downloaded the bind 9.18.30 source[2] and build by myself.
-----8<-----8<-----8<-----
$ /usr/local/sbin/named -V
BIND 9.18.30 (Extended Support Version) <id:cdc8d69>
running on Linux aarch64 5.10.103-v8+ #1529 SMP PREEMPT Tue Mar 8 12:26:46 GMT 2022
built by make with '--with-json-c' '--enable-dnstap' '--with-libxml2' '--without-lmdb' '--with-tuning=small' '--with-libidn2' '--sysconfdir=/etc/bind'
compiled by GCC 8.3.0
compiled with OpenSSL version: OpenSSL 1.1.1n 15 Mar 2022
linked to OpenSSL version: OpenSSL 1.1.1n 15 Mar 2022
compiled with libuv version: 1.24.1
linked to libuv version: 1.24.1
compiled with libnghttp2 version: 1.36.0
linked to libnghttp2 version: 1.36.0
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.12.1
linked to json-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): no
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: /usr/local/var/run/named/session.key
named PID file: /usr/local/var/run/named/named.pid
named lock file: /usr/local/var/run/named/named.lock
-----8<-----8<-----8<-----
I download and build the new version of the bind is because the debian one is old and had many query errors for years. I thought the newer bind could solve the query errors. But it seems not solve the problems. I'll continue to find the problems in my environment.
By the way, there is a typo on the document[1] that the log example is "for www.example.com/A" but the below text said "recursive resolution for AAAA record of www.example.com".
[1] https://downloads.isc.org/isc/bind9/9.18.30/doc/arm/Bv9ARM.pdf Chapter 8, page 108.
[2] https://downloads.isc.org/isc/bind9/9.18.30/bind-9.18.30.tar.xz
More information about the bind-users
mailing list