<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">We run BIND 9.9.5-9 on Debian x86_64 to support a moderately sized email hosting system.  System info listed at the end of this message.  We are seeing intermittent but frequent issues resolving Microsoft records.  The hostnames are usually in the form of *.<a href="http://mail.protection.outlook.com" class="">mail.protection.outlook.com</a> or *.<a href="http://mail.eo.outlook.com" class="">mail.eo.outlook.com</a>.  They range from k-12/university organizations, small businesses, to large commercial companies.  Some examples follow:<div class=""><br class=""></div><div class="">03-May-2016 09:16:48.001 query-errors: debug 1: client 10.10.10.95#44080 (<a href="http://zulily-com.mail.protection.outlook.com" class="">zulily-com.mail.protection.outlook.com</a>): query failed (SERVFAIL) for <a href="http://zulily-com.mail.protection.outlook.com/IN/A" class="">zulily-com.mail.protection.outlook.com/IN/A</a> at query.c:7004<br class="">03-May-2016 09:16:48.002 query-errors: debug 2: fetch completed at resolver.c:3074 for <a href="http://zulily-com.mail.protection.outlook.com/A" class="">zulily-com.mail.protection.outlook.com/A</a> in 0.000067: failure/success [domain:mail.protection.outlook.com,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]</div><div class=""><br class=""></div><div class="">04-May-2016 09:32:38.498 query-errors: debug 1: client 10.10.10.95#44080 (<a href="http://hanes-com.mail.protection.outlook.com" class="">hanes-com.mail.protection.outlook.com</a>): query failed (SERVFAIL) for <a href="http://hanes-com.mail.protection.outlook.com/IN/A" class="">hanes-com.mail.protection.outlook.com/IN/A</a> at query.c:7004<br class="">04-May-2016 09:32:38.498 query-errors: debug 2: fetch completed at resolver.c:3074 for <a href="http://hanes-com.mail.protection.outlook.com/A" class="">hanes-com.mail.protection.outlook.com/A</a> in 0.004677: failure/success [domain:mail.protection.outlook.com,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]</div><div class=""><br class=""></div>04-May-2016 12:47:12.935 query-errors: debug 1: client 10.10.10.95#44080 (<a href="http://pitt-edu.mail.protection.outlook.com" class="">pitt-edu.mail.protection.outlook.com</a>): query failed (SERVFAIL) for <a href="http://pitt-edu.mail.protection.outlook.com/IN/A" class="">pitt-edu.mail.protection.outlook.com/IN/A</a> at query.c:7004<br class=""><div class="">04-May-2016 12:47:12.935 query-errors: debug 2: fetch completed at resolver.c:3074 for <a href="http://pitt-edu.mail.protection.outlook.com/A" class="">pitt-edu.mail.protection.outlook.com/A</a> in 0.000085: failure/success [domain:mail.protection.outlook.com,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]  </div><div class=""><br class=""></div><div class="">04-May-2016 12:47:30.918 query-errors: debug 1: client 10.10.10.96#48950 (<a href="http://mdfoodbank-org.mail.eo.outlook.com" class="">mdfoodbank-org.mail.eo.outlook.com</a>): query failed (SERVFAIL) for <a href="http://mdfoodbank-org.mail.eo.outlook.com/IN/A" class="">mdfoodbank-org.mail.eo.outlook.com/IN/A</a> at query.c:7004<br class="">04-May-2016 12:47:30.918 query-errors: debug 2: fetch completed at resolver.c:3074 for <a href="http://mdfoodbank-org.mail.eo.outlook.com/A" class="">mdfoodbank-org.mail.eo.outlook.com/A</a> in 0.000078: failure/success [domain:mail.eo.outlook.com,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]</div><div class=""><div class=""><br class=""></div><div class="">I have added config statements to send query-errors to dedicated files and increased debugging to 10 on that channel.  The referenced sections of resolver.c and query.c are as follows:</div><div class=""><br class=""></div><div class="">resolver.c</div><div class=""><br class=""></div><div class="">fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {<br class="">        isc_result_t result;<br class="">        dns_adbaddrinfo_t *addrinfo;<br class=""><br class="">        FCTXTRACE("try");<br class=""><br class="">        REQUIRE(!ADDRWAIT(fctx));<br class=""><br class="">        addrinfo = fctx_nextaddress(fctx);<br class="">        if (addrinfo == NULL) {<br class="">                /*<br class="">                 * We have no more addresses.  Start over.<br class="">                 */<br class="">                fctx_cancelqueries(fctx, ISC_TRUE);<br class="">                fctx_cleanupfinds(fctx);<br class="">                fctx_cleanupaltfinds(fctx);<br class="">                fctx_cleanupforwaddrs(fctx);<br class="">                fctx_cleanupaltaddrs(fctx);<br class="">                result = fctx_getaddresses(fctx, badcache);<br class="">                if (result == DNS_R_WAIT) {<br class="">                        /*<br class="">                         * Sleep waiting for addresses.<br class="">                         */<br class="">                        FCTXTRACE("addrwait");<br class="">                        fctx->attributes |= FCTX_ATTR_ADDRWAIT;<br class="">                        return;<br class="">                } else if (result != ISC_R_SUCCESS) {<br class="">                        /*<br class="">                         * Something bad happened.<br class="">                         */<br class="">                        fctx_done(fctx, result, __LINE__);</div><div class=""><br class=""></div><div class="">query.c</div><div class=""><br class=""></div><div class=""><br class="">                /*<br class="">                 * Switch to the new qname and restart.<br class="">                 */<br class="">                ns_client_qnamereplace(client, fname);<br class="">                fname = NULL;<br class="">                want_restart = ISC_TRUE;<br class="">                if (!WANTRECURSION(client))<br class="">                        options |= DNS_GETDB_NOLOG;<br class="">                goto addauth;<br class="">        default:<br class="">                /*<br class="">                 * Something has gone wrong.<br class="">                 */<br class="">                QUERY_ERROR(DNS_R_SERVFAIL);</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Does anyone know what these logged errors indicate or where I can research them further in the documentation?  So far my searches are coming up empty.  </div></div><div class=""><br class=""></div><div class="">Thanks,</div><div class="">Rob Heilman</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""># uname -a<br class="">Linux fe2 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt25-1 (2016-03-06) i686 GNU/Linux<br class=""># /usr/sbin/named -v<br class="">BIND 9.9.5-9+deb8u6-Debian (Extended Support Version)<br class="">#</div><div class="">sar reports average 1m load average under .5 and CPU idle over 90%.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div></body></html>