<br>Hi,<br><br>I tried to go debug level 2 on query-errors and<br>have the result:<br><br>23-Jun-2011 09:57:39.182 query-errors: debug 1: client 202.14.67.27#55079: query failed (SERVFAIL) for <a href="http://aws.amazon.com/IN/A">aws.amazon.com/IN/A</a> at query.c:4651<br>
<br>23-Jun-2011 09:57:39.182 query-errors: debug 2: fetch completed at resolver.c:3103 for <a href="http://aws.amazon.com/A">aws.amazon.com/A</a> in 0.000073: out of memory/success [domain:<a href="http://aws.amazon.com">aws.amazon.com</a>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]<br>
<br><br>Is it because we limit the memory usage at named.conf?<br><br>max-cache-size          1610612736;<br><br>Eric<br><br><div class="gmail_quote">On Thu, Jun 23, 2011 at 5:25 AM, Kevin Darcy <span dir="ltr"><<a href="mailto:kcd@chrysler.com">kcd@chrysler.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><u></u>

  
    
  
  <div bgcolor="#ffffff" text="#000000"><div><div></div><div class="h5">
    On 6/22/2011 7:26 AM, Eric Yiu wrote:
    <blockquote type="cite">Hi,<br>
      <br>
      I am using bind9.7.3-P1 with solaris10x86.  I notice that<br>
      sometimes our bind server will reply servfail when querying<br>
      a zone <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>
      which is expiring, while this<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>
      only 60sec cache lifetime, eg.<br>
      <br>
      > /usr/local/bin/dig a <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br>
      <br>
      ; <<>> DiG 9.7.3-P1 <<>> a <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br>
      ;; global options: +cmd<br>
      ;; Got answer:<br>
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
      26307<br>
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL:
      1<br>
      <br>
      ;; QUESTION SECTION:<br>
      ;<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
                             IN      A<br>
      <br>
      ;; ANSWER SECTION:<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
              1       IN      A       72.21.210.163<br>
      <br>
      ;; AUTHORITY SECTION:<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
              6517    IN      NS      <a href="http://ns-932.amazon.com" target="_blank">ns-932.amazon.com</a>.<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
              6517    IN      NS      <a href="http://ns-931.amazon.com" target="_blank">ns-931.amazon.com</a>.<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
              6517    IN      NS      <a href="http://ns-912.amazon.com" target="_blank">ns-912.amazon.com</a>.<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
              6517    IN      NS      <a href="http://ns-923.amazon.com" target="_blank">ns-923.amazon.com</a>.<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
              6517    IN      NS      <a href="http://ns-911.amazon.com" target="_blank">ns-911.amazon.com</a>.<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
              6517    IN      NS      <a href="http://ns-921.amazon.com" target="_blank">ns-921.amazon.com</a>.<br>
      <br>
      ;; ADDITIONAL SECTION:<br>
      <a href="http://ns-911.amazon.com" target="_blank">ns-911.amazon.com</a>.
           3108    IN      A       207.171.178.13<br>
      <br>
      ;; Query time: 0 msec<br>
      ;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
      ;; WHEN: Wed Jun 22 18:59:30 2011<br>
      ;; MSG SIZE  rcvd: 190<br>
      <br>
      > /usr/local/bin/dig a <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br>
      <br>
      ; <<>> DiG 9.7.3-P1 <<>> a <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br>
      ;; global options: +cmd<br>
      ;; Got answer:<br>
      <b>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL,
        id: 20884<br>
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
        ADDITIONAL: 0</b><br>
      <br>
      ;; QUESTION SECTION:<br>
      ;<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
                             IN      A<br>
      <br>
      ;; Query time: 0 msec<br>
      ;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
      ;; WHEN: Wed Jun 22 18:59:31 2011<br>
      ;; MSG SIZE  rcvd: 32<br>
      <br>
      > /usr/local/bin/dig a <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br>
      ^[[A<br>
      ; <<>> DiG 9.7.3-P1 <<>> a <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br>
      ;; global options: +cmd<br>
      ;; Got answer:<br>
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
      47970<br>
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL:
      1<br>
      <br>
      ;; QUESTION SECTION:<br>
      ;<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.                       
      IN      A<br>
      <br>
      ;; ANSWER SECTION:<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.        
      60      IN      A       72.21.210.163<br>
      <br>
      ;; AUTHORITY SECTION:<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.        
      6516    IN      NS      <a href="http://ns-932.amazon.com" target="_blank">ns-932.amazon.com</a>.<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.        
      6516    IN      NS      <a href="http://ns-911.amazon.com" target="_blank">ns-911.amazon.com</a>.<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.        
      6516    IN      NS      <a href="http://ns-912.amazon.com" target="_blank">ns-912.amazon.com</a>.<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.        
      6516    IN      NS      <a href="http://ns-931.amazon.com" target="_blank">ns-931.amazon.com</a>.<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.        
      6516    IN      NS      <a href="http://ns-921.amazon.com" target="_blank">ns-921.amazon.com</a>.<br>
      <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.        
      6516    IN      NS      <a href="http://ns-923.amazon.com" target="_blank">ns-923.amazon.com</a>.<br>
      <br>
      ;; ADDITIONAL SECTION:<br>
      <a href="http://ns-911.amazon.com" target="_blank">ns-911.amazon.com</a>.     
      3107    IN      A       207.171.178.13<br>
      <br>
      ;; Query time: 229 msec<br>
      ;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
      ;; WHEN: Wed Jun 22 18:59:31 2011<br>
      ;; MSG SIZE  rcvd: 190<br>
      <br>
    </blockquote></div></div>
    I couldn't really see anything that would explain the SERVFAIL. Each
    of those "nameservers" appears to be a load-balancer of some sort.
    When queried individually for <a href="http://aws.amazon.com/A" target="_blank">aws.amazon.com/A</a>, they give a
    diversity of answers, implying that they are attempting some form of
    "DNS geolocation". None of them seem bothered by EDNS0 or DNSSEC
    stuff (most likely they're completely oblivious). When queried
    individually for <a href="http://aws.amazon.com/NS" target="_blank">aws.amazon.com/NS</a>, all of them except for one
    return a single NS record with their own name in the RDATA. The only
    exception I saw was <a href="http://ns-912.amazon.com" target="_blank">ns-912.amazon.com</a>, which returned
    <a href="http://ns-945.amazon.com" target="_blank">ns-945.amazon.com</a>. But, I don't think that's the cause of the
    SERVFAIL, since <a href="http://ns-945.amazon.com" target="_blank">ns-945.amazon.com</a> answers authoritatively for the
    name, even though it's not one of the delegated nameservers for the
    zone.<br>
    <br>
    Time to look at logs, run named in debug mode and/or fire up a
    packet tracer and see what's really going on. Possibly something
    between you and the <a href="http://amazon.com" target="_blank">amazon.com</a> nameservers is mangling or blocking
    packets.<br>
    <br>
                                                                       
                                                                       
                                                    - Kevin<br>
    <br>
  </div>

<br>_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br></blockquote></div><br>