Hello, <br><br>Having trouble resolving a name, hope someone can point me in the right direction. All my caching resolvers running "BIND 9.7.0-P2-RedHat-9.7.0-10.P2.el5_8.3" are returning ServFail for "<a href="http://www.solarwinds.com" target="_blank">www.solarwinds.com</a>". For example:<br>
<br>---------------------------------------------------------<br>slava@rocks:/tmp$ dig @ns02 <a href="http://www.solarwinds.com" target="_blank">www.solarwinds.com</a><br><br>; <<>> DiG 9.8.1-P1 <<>> @ns02 <a href="http://www.solarwinds.com" target="_blank">www.solarwinds.com</a><br>
; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48232<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0<br><br>;; QUESTION SECTION:<br>
;<a href="http://www.solarwinds.com" target="_blank">www.solarwinds.com</a>. IN A<br><br>;; Query time: 97 msec<br>;; SERVER: 10.220.8.18#53(10.220.8.18)<br>;; WHEN: Mon Jan 28 17:00:17 2013<br>;; MSG SIZE rcvd: 36<br>
-----------------------------------------------------<br>
<br><br>Here is what the caching resolver (NS02, 10.220.8.18) does while it's trying to resolve my query:<br><br>[root@ns02 ~]# tcpdump -s0 -n -ieth0 '(host 74.115.14.18 or host 74.115.13.18 or host 10.220.219.101) and port 53'<br>
<br>17:02:36.947658 IP 10.220.219.101.40206 > 10.220.8.18.domain: 50911+ A? <a href="http://www.solarwinds.com" target="_blank">www.solarwinds.com</a>. (36)<br>17:02:36.947891 IP 10.220.8.18.43935 > 74.115.14.18.domain: 3509 [1au] A? <a href="http://www.solarwinds.com" target="_blank">www.solarwinds.com</a>. (47)<br>
17:02:37.003775 IP 74.115.14.18.domain > 10.220.8.18.43935: 3509 1/0/1 A 74.115.13.20 (63)<br>17:02:37.004003 IP 10.220.8.18.31756 > 74.115.13.18.domain: 15333 [1au] A? <a href="http://www.solarwinds.com" target="_blank">www.solarwinds.com</a>. (47)<br>
17:02:37.040083 IP 74.115.13.18.domain > 10.220.8.18.31756: 15333 1/0/1 A 74.115.13.20 (63)<br>17:02:37.040338 IP 10.220.8.18.domain > 10.220.219.101.40206: 50911 ServFail 0/0/0 (36)<br><br>As you can see from the middle four packets the server does get the "A" record response from the two name servers authoritative for "<a href="http://solarwinds.com" target="_blank">solarwinds.com</a>". It, however, turns around and sends a ServFail back to the client (client ip: 10.220.219.101). The server will not cache the response either. What's interesting is that the two responses it gets from the supposedly authoritative servers do not have the "aa" set. I am assuming that is why the responses are rejected and not cached. Digging a bit deeper I also noticed that the two solarwinds servers are open resolvers and they also have an NS record for <a href="http://www.solarwinds.com" target="_blank">www.solarwinds.com</a> delegating it to a pair of GSS devices. <br>
<br>Here is what lands in my caching resolver's cache:<br><br>------------------ from ns02 cache -----------------------<br><a href="http://solarwinds.com" target="_blank">solarwinds.com</a>. 172794 NS <a href="http://ns1.solarwinds.com" target="_blank">ns1.solarwinds.com</a>.<br>
172794 NS <a href="http://ns2.solarwinds.com" target="_blank">ns2.solarwinds.com</a>.<br>; authauthority<br><a href="http://ns1.solarwinds.com" target="_blank">ns1.solarwinds.com</a>. 594 \-AAAA ;-$NXRRSET<br>
; <a href="http://solarwinds.com" target="_blank">solarwinds.com</a>. SOA <a href="http://ns1.solarwinds.com" target="_blank">ns1.solarwinds.com</a>. <a href="http://hostmaster.solarwinds.com" target="_blank">hostmaster.solarwinds.com</a>. 659 900 600 28800 600<br>
; glue<br> 172794 A 74.115.13.18<br>; authauthority<br><a href="http://ns2.solarwinds.com" target="_blank">ns2.solarwinds.com</a>. 594 \-AAAA ;-$NXRRSET<br>; <a href="http://solarwinds.com" target="_blank">solarwinds.com</a>. SOA <a href="http://ns1.solarwinds.com" target="_blank">ns1.solarwinds.com</a>. <a href="http://hostmaster.solarwinds.com" target="_blank">hostmaster.solarwinds.com</a>. 659 900 600 28800 600<br>
; glue<br> 172794 A 74.115.14.18<br><br>; <a href="http://ns2.solarwinds.com" target="_blank">ns2.solarwinds.com</a> [v4 TTL 4] [v6 TTL 594] [v4 not_found] [v6 nxrrset]<br>; 74.115.14.18 [srtt 28267] [flags 00002000] [ttl 1794]<br>
; <a href="http://ns1.solarwinds.com" target="_blank">ns1.solarwinds.com</a> [v4 TTL 4] [v6 TTL 594] [v4 not_found] [v6 nxrrset]<br>; 74.115.13.18 [srtt 18606] [flags 00002000] [ttl 1794]<br>------------------------------ end cache snippet ------------------------<br>
<br>I tried the same query against two other bind servers (9.8.1-P1 and 9.7.3) and they have no problem using the non-authoritative answer they get from the two solarwinds servers. They will cache it and return it to the client. <br>
<br>Here are the options I have in named.conf on NS02:<br>notify yes; <br>check-names master ignore; <br>check-names slave ignore; <br>check-names response ignore;<br>max-ncache-ttl 600; <br>
recursive-clients 20000; <br><br>Any hint on what might be broken here is appreciated.<br><br>Thank you,<br>Slava.<br><br><br><br>
<br><br><br><br><br><br>