Can not get a lick of debug information for a slew of queries that are coming back SERVFAIL

The Gorf thegorf+bind9users at gmail.com
Tue Apr 22 08:27:11 UTC 2025 

bind version:BIND 9.18.33-1~deb12u2-Debian (Extended Support Version) <id:>

So it's pretty simple. Im getting a ton of SERVFAILs randomly and I can
neither figure out why nor figure out how to get bind to give me debug
information about why. The documentation here:
https://kb.isc.org/docs/aa-01526
Hurts my head to read and references stuff that I can't figure out where in
the documentation it is to explain what it is.

I took the exact document on that page and switched everything to "debug"
and I have reset the server, rebooted the server, nothing. Here is the
exact one line bind produces in its logs for the query that is generating
the SERVFAIL:

22-Apr-2025 01:08:17.138 queries: info: client @0x7ffa3cb78168
192.168.8.104#47099 (ksc.wiki): query: ksc.wiki IN A + (10.30.160.20)

Nothing. And here is the query-errors file:
geoff at NS1:/var/log/named$ cat query-errors | grep -i wiki
geoff at NS1:/var/log/named$
zilch.

So. what am I doing wrong here? Why can't I get any debug info out of this?

logging {
     channel default_log {
          file "/var/log/named/default" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity debug;
     };
     channel auth_servers_log {
          file "/var/log/named/auth_servers" versions 100 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity debug;
     };
     channel dnssec_log {
          file "/var/log/named/dnssec" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity debug;
     };
     channel zone_transfers_log {
          file "/var/log/named/zone_transfers" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity debug;
     };
     channel ddns_log {
          file "/var/log/named/ddns" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity debug;
     };
     channel client_security_log {
          file "/var/log/named/client_security" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity debug;
     };
     channel rate_limiting_log {
          file "/var/log/named/rate_limiting" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity debug;
     };
     channel rpz_log {
          file "/var/log/named/rpz" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity debug;
     };
     channel dnstap_log {
          file "/var/log/named/dnstap" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity debug;
     };
//
// If you have the category ‘queries’ defined, and you don’t want query
logging
// by default, make sure you add option ‘querylog no;’ - then you can toggle
// query logging on (and off again) using command ‘rndc querylog’
//
     channel queries_log {
          file "/var/log/named/queries" versions 600 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity debug;
     };
//
// This channel is dynamic so that when the debug level is increased using
// rndc while the server is running, extra information will be logged about
// failing queries.  Other debug information for other categories will be
// sent to the channel default_debug (which is also dynamic), but without
// affecting the regular logging.
//
     channel query-errors_log {
          file "/var/log/named/query-errors" versions 5 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity debug;
     };
//
// This is the default syslog channel, defined here for clarity.  You don’t
// have to use it if you prefer to log to your own channels.
// It sends to syslog’s daemon facility, and sends only logged messages
// of priority info and higher.
// (The options to print time, category and severity are non-default.)
//
     channel default_syslog {
          print-time yes;
          print-category yes;
          print-severity yes;
          syslog daemon;
          severity debug;
     };
//
// This is the default debug output channel, defined here for clarity.  You
// might want to redefine the output destination if it doesn’t fit with your
// local system administration plans for logging.  It is also a special
// channel that only produces output if the debug level is non-zero.
//
     channel default_debug {
          print-time yes;
          print-category yes;
          print-severity yes;
          file "named.run";
          severity debug;
     };
//
// Log routine stuff to syslog and default log:
//
     category default { default_syslog; default_debug; default_log; };
     category config { default_syslog; default_debug; default_log; };
     category dispatch { default_syslog; default_debug; default_log; };
     category network { default_syslog; default_debug; default_log; };
     category general { default_syslog; default_debug; default_log; };
//
// From BIND 9.12 and newer, you can direct zone load logging to another
// channel with the new zoneload logging category.  If this would be useful
// then firstly, configure the new channel, and then edit the line below
// to direct the category there instead of to syslog and default log:
//
     category zoneload { default_syslog; default_debug; default_log; };
//
// Log messages relating to what we got back from authoritative servers
during
// recursion (if lame-servers and edns-disabled are obscuring other messages
// they can be sent to their own channel or to null).  Sometimes these log
// messages will be useful to research why some domains don’t resolve or
// don’t resolve reliably
//
     category resolver { auth_servers_log; default_debug; };
     category cname { auth_servers_log; default_debug; };
     category delegation-only { auth_servers_log; default_debug; };
     category lame-servers { auth_servers_log; default_debug; };
     category edns-disabled { auth_servers_log; default_debug; };
//
// Log problems with DNSSEC:
//
     category dnssec { dnssec_log; default_debug; };
//
// Log together all messages relating to authoritative zone propagation
//
     category notify { zone_transfers_log; default_debug; };
     category xfer-in { zone_transfers_log; default_debug; };
     category xfer-out { zone_transfers_log; default_debug; };
//
// Log together all messages relating to dynamic updates to DNS zone data:
//
     category update{ ddns_log; default_debug; };
     category update-security { ddns_log; default_debug; };
//
// Log together all messages relating to client access and security.
// (There is an additional category ‘unmatched’ that is by default sent to
// null but which can be added here if you want more than the one-line
// summary that is logged for failures to match a view).
//
     category client{ client_security_log; default_debug; };
     category security { client_security_log; default_debug; };
//
// Log together all messages that are likely to be related to rate-limiting.
// This includes RRL (Response Rate Limiting) - usually deployed on
authoritative
// servers and fetches-per-server|zone.  Note that it does not include
// logging of changes for clients-per-query (which are logged in category
// resolver).  Also note that there may on occasions be other log messages
// emitted by the database category that don’t relate to rate-limiting
// behaviour by named.
//
     category rate-limit { rate_limiting_log; default_debug; };
     category spill { rate_limiting_log; default_debug; };
     category database { rate_limiting_log; default_debug; };
//
// Log DNS-RPZ (Response Policy Zone) messages (if you are not using DNS-RPZ
// then you may want to comment out this category and associated channel)
//
     category rpz { rpz_log; default_debug; };
//
// Log messages relating to the "dnstap" DNS traffic capture system  (if you
// are not using dnstap, then you may want to comment out this category and
// associated channel).
//
     category dnstap { dnstap_log; default_debug; };
//
// If you are running a server (for example one of the Internet root
// nameservers) that is providing RFC 5011 trust anchor updates, then you
// may be interested in logging trust anchor telemetry reports that your
// server receives to analyze anchor propagation rates during a key
rollover.
// If this would be useful then firstly, configure the new channel, and then
// un-comment and the line below to direct the category there instead of to
// syslog and default log:
//
//
     category trust-anchor-telemetry { default_syslog; default_debug;
default_log; };
//
// If you have the category ‘queries’ defined, and you don’t want query
logging
// by default, make sure you add option ‘querylog no;’ - then you can toggle
// query logging on (and off again) using command ‘rndc querylog’
//
     category queries { queries_log; };
//
// This logging category will only emit messages at debug levels of 1 or
// higher - it can be useful to troubleshoot problems where queries are
// resulting in a SERVFAIL response.
//
     category query-errors {query-errors_log; };
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250422/42dbee47/attachment-0001.htm>

More information about the bind-users mailing list