<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    On 6/22/2011 7:26 AM, Eric Yiu wrote:
    <blockquote
      cite="mid:BANLkTimv2Cm_LwwORkXkD8GdNqXeSzDdrg@mail.gmail.com"
      type="cite">Hi,<br>
      <br>
      I am using bind9.7.3-P1 with solaris10x86.  I notice that<br>
      sometimes our bind server will reply servfail when querying<br>
      a zone <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>
      which is expiring, while this<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>
      only 60sec cache lifetime, eg.<br>
      <br>
      > /usr/local/bin/dig a <a moz-do-not-send="true"
        href="http://aws.amazon.com">aws.amazon.com</a><br>
      <br>
      ; <<>> DiG 9.7.3-P1 <<>> a <a
        moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a><br>
      ;; global options: +cmd<br>
      ;; Got answer:<br>
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
      26307<br>
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL:
      1<br>
      <br>
      ;; QUESTION SECTION:<br>
      ;<a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.
                             IN      A<br>
      <br>
      ;; ANSWER SECTION:<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.
              1       IN      A       72.21.210.163<br>
      <br>
      ;; AUTHORITY SECTION:<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.
              6517    IN      NS      <a moz-do-not-send="true"
        href="http://ns-932.amazon.com">ns-932.amazon.com</a>.<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.
              6517    IN      NS      <a moz-do-not-send="true"
        href="http://ns-931.amazon.com">ns-931.amazon.com</a>.<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.
              6517    IN      NS      <a moz-do-not-send="true"
        href="http://ns-912.amazon.com">ns-912.amazon.com</a>.<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.
              6517    IN      NS      <a moz-do-not-send="true"
        href="http://ns-923.amazon.com">ns-923.amazon.com</a>.<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.
              6517    IN      NS      <a moz-do-not-send="true"
        href="http://ns-911.amazon.com">ns-911.amazon.com</a>.<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.
              6517    IN      NS      <a moz-do-not-send="true"
        href="http://ns-921.amazon.com">ns-921.amazon.com</a>.<br>
      <br>
      ;; ADDITIONAL SECTION:<br>
      <a moz-do-not-send="true" href="http://ns-911.amazon.com">ns-911.amazon.com</a>.
           3108    IN      A       207.171.178.13<br>
      <br>
      ;; Query time: 0 msec<br>
      ;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
      ;; WHEN: Wed Jun 22 18:59:30 2011<br>
      ;; MSG SIZE  rcvd: 190<br>
      <br>
      > /usr/local/bin/dig a <a moz-do-not-send="true"
        href="http://aws.amazon.com">aws.amazon.com</a><br>
      <br>
      ; <<>> DiG 9.7.3-P1 <<>> a <a
        moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a><br>
      ;; global options: +cmd<br>
      ;; Got answer:<br>
      <b>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL,
        id: 20884<br>
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
        ADDITIONAL: 0</b><br>
      <br>
      ;; QUESTION SECTION:<br>
      ;<a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.
                             IN      A<br>
      <br>
      ;; Query time: 0 msec<br>
      ;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
      ;; WHEN: Wed Jun 22 18:59:31 2011<br>
      ;; MSG SIZE  rcvd: 32<br>
      <br>
      > /usr/local/bin/dig a <a moz-do-not-send="true"
        href="http://aws.amazon.com">aws.amazon.com</a><br>
      ^[[A<br>
      ; <<>> DiG 9.7.3-P1 <<>> a <a
        moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a><br>
      ;; global options: +cmd<br>
      ;; Got answer:<br>
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
      47970<br>
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL:
      1<br>
      <br>
      ;; QUESTION SECTION:<br>
      ;<a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.                       
      IN      A<br>
      <br>
      ;; ANSWER SECTION:<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.        
      60      IN      A       72.21.210.163<br>
      <br>
      ;; AUTHORITY SECTION:<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.        
      6516    IN      NS      <a moz-do-not-send="true"
        href="http://ns-932.amazon.com">ns-932.amazon.com</a>.<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.        
      6516    IN      NS      <a moz-do-not-send="true"
        href="http://ns-911.amazon.com">ns-911.amazon.com</a>.<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.        
      6516    IN      NS      <a moz-do-not-send="true"
        href="http://ns-912.amazon.com">ns-912.amazon.com</a>.<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.        
      6516    IN      NS      <a moz-do-not-send="true"
        href="http://ns-931.amazon.com">ns-931.amazon.com</a>.<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.        
      6516    IN      NS      <a moz-do-not-send="true"
        href="http://ns-921.amazon.com">ns-921.amazon.com</a>.<br>
      <a moz-do-not-send="true" href="http://aws.amazon.com">aws.amazon.com</a>.        
      6516    IN      NS      <a moz-do-not-send="true"
        href="http://ns-923.amazon.com">ns-923.amazon.com</a>.<br>
      <br>
      ;; ADDITIONAL SECTION:<br>
      <a moz-do-not-send="true" href="http://ns-911.amazon.com">ns-911.amazon.com</a>.     
      3107    IN      A       207.171.178.13<br>
      <br>
      ;; Query time: 229 msec<br>
      ;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
      ;; WHEN: Wed Jun 22 18:59:31 2011<br>
      ;; MSG SIZE  rcvd: 190<br>
      <br>
    </blockquote>
    I couldn't really see anything that would explain the SERVFAIL. Each
    of those "nameservers" appears to be a load-balancer of some sort.
    When queried individually for aws.amazon.com/A, they give a
    diversity of answers, implying that they are attempting some form of
    "DNS geolocation". None of them seem bothered by EDNS0 or DNSSEC
    stuff (most likely they're completely oblivious). When queried
    individually for aws.amazon.com/NS, all of them except for one
    return a single NS record with their own name in the RDATA. The only
    exception I saw was ns-912.amazon.com, which returned
    ns-945.amazon.com. But, I don't think that's the cause of the
    SERVFAIL, since ns-945.amazon.com answers authoritatively for the
    name, even though it's not one of the delegated nameservers for the
    zone.<br>
    <br>
    Time to look at logs, run named in debug mode and/or fire up a
    packet tracer and see what's really going on. Possibly something
    between you and the amazon.com nameservers is mangling or blocking
    packets.<br>
    <br>
                                                                       
                                                                       
                                                    - Kevin<br>
    <br>
  </body>
</html>