<br>Hi,<br><br>I tried to go debug level 2 on query-errors and<br>have the result:<br><br>23-Jun-2011 09:57:39.182 query-errors: debug 1: client 202.14.67.27#55079: query failed (SERVFAIL) for <a href="http://aws.amazon.com/IN/A">aws.amazon.com/IN/A</a> at query.c:4651<br>
<br>23-Jun-2011 09:57:39.182 query-errors: debug 2: fetch completed at resolver.c:3103 for <a href="http://aws.amazon.com/A">aws.amazon.com/A</a> in 0.000073: out of memory/success [domain:<a href="http://aws.amazon.com">aws.amazon.com</a>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]<br>
<br><br>Is it because we limit the memory usage at named.conf?<br><br>max-cache-size 1610612736;<br><br>Eric<br><br><div class="gmail_quote">On Thu, Jun 23, 2011 at 5:25 AM, Kevin Darcy <span dir="ltr"><<a href="mailto:kcd@chrysler.com">kcd@chrysler.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><u></u>
<div bgcolor="#ffffff" text="#000000"><div><div></div><div class="h5">
On 6/22/2011 7:26 AM, Eric Yiu wrote:
<blockquote type="cite">Hi,<br>
<br>
I am using bind9.7.3-P1 with solaris10x86. I notice that<br>
sometimes our bind server will reply servfail when querying<br>
a zone <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>
which is expiring, while this<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>
only 60sec cache lifetime, eg.<br>
<br>
> /usr/local/bin/dig a <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br>
<br>
; <<>> DiG 9.7.3-P1 <<>> a <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
26307<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL:
1<br>
<br>
;; QUESTION SECTION:<br>
;<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
IN A<br>
<br>
;; ANSWER SECTION:<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
1 IN A 72.21.210.163<br>
<br>
;; AUTHORITY SECTION:<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6517 IN NS <a href="http://ns-932.amazon.com" target="_blank">ns-932.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6517 IN NS <a href="http://ns-931.amazon.com" target="_blank">ns-931.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6517 IN NS <a href="http://ns-912.amazon.com" target="_blank">ns-912.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6517 IN NS <a href="http://ns-923.amazon.com" target="_blank">ns-923.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6517 IN NS <a href="http://ns-911.amazon.com" target="_blank">ns-911.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6517 IN NS <a href="http://ns-921.amazon.com" target="_blank">ns-921.amazon.com</a>.<br>
<br>
;; ADDITIONAL SECTION:<br>
<a href="http://ns-911.amazon.com" target="_blank">ns-911.amazon.com</a>.
3108 IN A 207.171.178.13<br>
<br>
;; Query time: 0 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Wed Jun 22 18:59:30 2011<br>
;; MSG SIZE rcvd: 190<br>
<br>
> /usr/local/bin/dig a <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br>
<br>
; <<>> DiG 9.7.3-P1 <<>> a <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br>
;; global options: +cmd<br>
;; Got answer:<br>
<b>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL,
id: 20884<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 0</b><br>
<br>
;; QUESTION SECTION:<br>
;<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
IN A<br>
<br>
;; Query time: 0 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Wed Jun 22 18:59:31 2011<br>
;; MSG SIZE rcvd: 32<br>
<br>
> /usr/local/bin/dig a <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br>
^[[A<br>
; <<>> DiG 9.7.3-P1 <<>> a <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
47970<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL:
1<br>
<br>
;; QUESTION SECTION:<br>
;<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
IN A<br>
<br>
;; ANSWER SECTION:<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
60 IN A 72.21.210.163<br>
<br>
;; AUTHORITY SECTION:<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6516 IN NS <a href="http://ns-932.amazon.com" target="_blank">ns-932.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6516 IN NS <a href="http://ns-911.amazon.com" target="_blank">ns-911.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6516 IN NS <a href="http://ns-912.amazon.com" target="_blank">ns-912.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6516 IN NS <a href="http://ns-931.amazon.com" target="_blank">ns-931.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6516 IN NS <a href="http://ns-921.amazon.com" target="_blank">ns-921.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6516 IN NS <a href="http://ns-923.amazon.com" target="_blank">ns-923.amazon.com</a>.<br>
<br>
;; ADDITIONAL SECTION:<br>
<a href="http://ns-911.amazon.com" target="_blank">ns-911.amazon.com</a>.
3107 IN A 207.171.178.13<br>
<br>
;; Query time: 229 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Wed Jun 22 18:59:31 2011<br>
;; MSG SIZE rcvd: 190<br>
<br>
</blockquote></div></div>
I couldn't really see anything that would explain the SERVFAIL. Each
of those "nameservers" appears to be a load-balancer of some sort.
When queried individually for <a href="http://aws.amazon.com/A" target="_blank">aws.amazon.com/A</a>, they give a
diversity of answers, implying that they are attempting some form of
"DNS geolocation". None of them seem bothered by EDNS0 or DNSSEC
stuff (most likely they're completely oblivious). When queried
individually for <a href="http://aws.amazon.com/NS" target="_blank">aws.amazon.com/NS</a>, all of them except for one
return a single NS record with their own name in the RDATA. The only
exception I saw was <a href="http://ns-912.amazon.com" target="_blank">ns-912.amazon.com</a>, which returned
<a href="http://ns-945.amazon.com" target="_blank">ns-945.amazon.com</a>. But, I don't think that's the cause of the
SERVFAIL, since <a href="http://ns-945.amazon.com" target="_blank">ns-945.amazon.com</a> answers authoritatively for the
name, even though it's not one of the delegated nameservers for the
zone.<br>
<br>
Time to look at logs, run named in debug mode and/or fire up a
packet tracer and see what's really going on. Possibly something
between you and the <a href="http://amazon.com" target="_blank">amazon.com</a> nameservers is mangling or blocking
packets.<br>
<br>
- Kevin<br>
<br>
</div>
<br>_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br></blockquote></div><br>