<div dir="ltr">One of the most useful initial steps in troubleshooting is to establish your ability to reproduce the error.<div><br></div><div>So, I'd look at getting to the command-line of the originating resolver, if possible, and using a command-line tool like "dig" to generate queries towards the intended target and see if you get the same SERVFAIL result. In order to *exactly* replicate the queries, however, you need to understand what "+E(0)K" in the log means. That's recursive-desired (the default for a query generated by a command-line tool like "dig"), EDNS0 and a DNSCOOKIE requested. Supposedly, modern versions of "dig" will set EDNS0 and DNSCOOKIE by default, so you might be lucky and a straight "dig" with no special options will replicate the error. If not, you may need to get your hands on a more modern version of "dig", or use another tool.</div><div><br></div><div>Once you've replicated the error, then start changing things. I'd start with turning EDNS0 and/or DNSCOOKIE on and off. Both of those are relatively "modern" extensions to DNS (at least, compared to the "classic" DNS of RFCs 1034 and 1035) and it's possible that the responding server just doesn't deal with them properly.</div><div><br></div><div>With EDNS0, there are different buffer sizes that could, hypothetically, be tried. But, unless you've tuned that specifically in named.conf, it's should be the case that the "dig" default is the same as the "named" one, so it's unlikely that changing buffer size will produce any change in behavior. It's possible, I suppose...</div><div><br></div><div>If you can't get any change of behavior by twiddling those things, then one would have to delve deeper. But I won't make this post any longer than it already is :-) That should be enough to get you started...</div><div><br></div><div> - Kevin</div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Oct 1, 2018 at 3:34 PM Karol Babioch <<a href="mailto:karol@babioch.de">karol@babioch.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
Am 01.10.18 um 21:10 schrieb Karol Babioch:<br>
> Do you have any suggestion / recommendation what I can do to narrow the<br>
> problem down? I already tried to increase the tracing and enabled query<br>
> logging, but I couldn't get to the bottom of things. What else can I do<br>
> here?<br>
<br>
as an additional data point, this is what I get with debugging (level 9):<br>
<br>
> 01-Oct-2018 21:25:52.976 query-errors: debug 1: client @0x7f89401d4c10 10.24.0.1#51206 (<a href="http://mail.babioch.de" rel="noreferrer" target="_blank">mail.babioch.de</a>): view internal: query failed (SERVFAIL) for <a href="http://mail.babioch.de/IN/A" rel="noreferrer" target="_blank">mail.babioch.de/IN/A</a> at query.c:10672<br>
> 01-Oct-2018 21:25:52.976 query-errors: debug 2: fetch completed at resolver.c:9094 for <a href="http://mail.babioch.de/A" rel="noreferrer" target="_blank">mail.babioch.de/A</a> in 0.030641: SERVFAIL/success [domain:<a href="http://babioch.de" rel="noreferrer" target="_blank">babioch.de</a>,referral:2,restart:0,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0,qminsteps:2]<br>
<br>
I really don't get it, the fetch completes just fine according to this<br>
(SERVFAIL/success). Also the querylog does not indicate what the issue is:<br>
<br>
> Okt 01 21:30:53 <a href="http://kvm1.babioch.de" rel="noreferrer" target="_blank">kvm1.babioch.de</a> named[17380]: client @0x7f15e8056140 10.24.0.1#58354 (<a href="http://mail.babioch.de" rel="noreferrer" target="_blank">mail.babioch.de</a>): view internal: query: <a href="http://mail.babioch.de" rel="noreferrer" target="_blank">mail.babioch.de</a> IN A +E(0)K (10.24.0.1)<br>
> Okt 01 21:30:53 <a href="http://kvm1.babioch.de" rel="noreferrer" target="_blank">kvm1.babioch.de</a> named[17380]: client @0x7f15e8056140 10.24.0.1#58354 (<a href="http://mail.babioch.de" rel="noreferrer" target="_blank">mail.babioch.de</a>): view internal: query failed (SERVFAIL) for <a href="http://mail.babioch.de/IN/A" rel="noreferrer" target="_blank">mail.babioch.de/IN/A</a> at query.c:10672<br>
<br>
Can one of you BIND gurus see what's wrong here? What else can/should I<br>
try. I'm pretty much out of ideas for now.<br>
<br>
Thank you very much in advance!<br>
<br>
Best regards,<br>
Karol Babioch<br>
<br>
_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>