<div dir="ltr">"servfail-ttl 0" doesn't help.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">вт, 29 мар. 2022 г. в 18:16, Ondřej Surý <<a href="mailto:ondrej@isc.org">ondrej@isc.org</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">The .by domain is kind of bonkers…<br>
<br>
Step 1: get nameservers for <a href="http://103.by" rel="noreferrer" target="_blank">103.by</a>:<br>
<br>
$ dig +noall +authority IN NS <a href="http://103.by" rel="noreferrer" target="_blank">103.by</a>. @<a href="http://a.root-servers.net" rel="noreferrer" target="_blank">a.root-servers.net</a><br>
by. 172800 IN NS <a href="http://dns1.tld.becloudby.com" rel="noreferrer" target="_blank">dns1.tld.becloudby.com</a>.<br>
by. 172800 IN NS <a href="http://dns2.tld.becloudby.com" rel="noreferrer" target="_blank">dns2.tld.becloudby.com</a>.<br>
by. 172800 IN NS <a href="http://dns3.tld.becloudby.com" rel="noreferrer" target="_blank">dns3.tld.becloudby.com</a>.<br>
by. 172800 IN NS <a href="http://dns4.tld.becloudby.com" rel="noreferrer" target="_blank">dns4.tld.becloudby.com</a>.<br>
by. 172800 IN NS <a href="http://dns5.tld.becloudby.com" rel="noreferrer" target="_blank">dns5.tld.becloudby.com</a>.<br>
<br>
Step 2: get nameservers for <a href="http://becloudy.com" rel="noreferrer" target="_blank">becloudy.com</a>:<br>
<br>
$ dig +noall +authority IN NS <a href="http://becloudby.com" rel="noreferrer" target="_blank">becloudby.com</a>. @<a href="http://a.root-servers.net" rel="noreferrer" target="_blank">a.root-servers.net</a><br>
com. 172800 IN NS <a href="http://e.gtld-servers.net" rel="noreferrer" target="_blank">e.gtld-servers.net</a>.<br>
com. 172800 IN NS <a href="http://b.gtld-servers.net" rel="noreferrer" target="_blank">b.gtld-servers.net</a>.<br>
[…]<br>
<br>
$ dig +noall +authority IN NS <a href="http://becloudby.com" rel="noreferrer" target="_blank">becloudby.com</a>. @<a href="http://a.gtld-servers.net" rel="noreferrer" target="_blank">a.gtld-servers.net</a>.<br>
<a href="http://becloudby.com" rel="noreferrer" target="_blank">becloudby.com</a>. 172800 IN NS <a href="http://u1.hoster.by" rel="noreferrer" target="_blank">u1.hoster.by</a>.<br>
<a href="http://becloudby.com" rel="noreferrer" target="_blank">becloudby.com</a>. 172800 IN NS <a href="http://u2.hoster.by" rel="noreferrer" target="_blank">u2.hoster.by</a>.<br>
<br>
Step 3: get nameservers for <a href="http://hoster.by" rel="noreferrer" target="_blank">hoster.by</a><br>
<br>
$ dig +noall +authority IN NS <a href="http://hoster.by" rel="noreferrer" target="_blank">hoster.by</a>. @<a href="http://a.root-servers.net" rel="noreferrer" target="_blank">a.root-servers.net</a><br>
by. 172800 IN NS <a href="http://dns1.tld.becloudby.com" rel="noreferrer" target="_blank">dns1.tld.becloudby.com</a>.<br>
by. 172800 IN NS <a href="http://dns2.tld.becloudby.com" rel="noreferrer" target="_blank">dns2.tld.becloudby.com</a>.<br>
by. 172800 IN NS <a href="http://dns3.tld.becloudby.com" rel="noreferrer" target="_blank">dns3.tld.becloudby.com</a>.<br>
by. 172800 IN NS <a href="http://dns4.tld.becloudby.com" rel="noreferrer" target="_blank">dns4.tld.becloudby.com</a>.<br>
by. 172800 IN NS <a href="http://dns5.tld.becloudby.com" rel="noreferrer" target="_blank">dns5.tld.becloudby.com</a>.<br>
<br>
Step 4: get nameservers for <a href="http://becloudy.com" rel="noreferrer" target="_blank">becloudy.com</a>:<br>
<br>
[…]<br>
<br>
My guess is that it probably depends on the current state of the cache<br>
whether `named` is able to break out of the loop using the existing data<br>
or not.<br>
<br>
>From the log, I can see that it’s hitting the SERVFAIL cache.<br>
<br>
You can disable the servfail caching with:<br>
<br>
``servfail-ttl``<br>
This sets the number of seconds to cache a SERVFAIL response due to DNSSEC<br>
validation failure or other general server failure. If set to ``0``,<br>
SERVFAIL caching is disabled. The SERVFAIL cache is not consulted if<br>
a query has the CD (Checking Disabled) bit set; this allows a query<br>
that failed due to DNSSEC validation to be retried without waiting<br>
for the SERVFAIL TTL to expire.<br>
<br>
The maximum value is ``30`` seconds; any higher value is<br>
silently reduced. The default is ``1`` second.<br>
<br>
And see if that helps.<br>
<br>
Ondrej<br>
--<br>
Ondřej Surý (He/Him)<br>
<a href="mailto:ondrej@isc.org" target="_blank">ondrej@isc.org</a><br>
<br>
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.<br>
<br>
> On 29. 3. 2022, at 16:02, Dzmitry Shykuts <<a href="mailto:dshykuts@gmail.com" target="_blank">dshykuts@gmail.com</a>> wrote:<br>
> <br>
> Hello! Can anybody help me with periodic and critical for me SERVFAIL? Cannot determine the source of the problem.<br>
> <br>
> I have Debian 11.3 and BIND9 9.16.27 on it. There was no such problem earlier.<br>
> <br>
> I do request:<br>
> <br>
> <<>> DiG 9.16.27-Debian <<>> <a href="http://103.by" rel="noreferrer" target="_blank">103.by</a> +trace<br>
> ;; global options: +cmd<br>
> . 518377 IN NS <a href="http://e.root-servers.net" rel="noreferrer" target="_blank">e.root-servers.net</a>.<br>
> . 518377 IN NS <a href="http://a.root-servers.net" rel="noreferrer" target="_blank">a.root-servers.net</a>.<br>
> . 518377 IN NS <a href="http://h.root-servers.net" rel="noreferrer" target="_blank">h.root-servers.net</a>.<br>
> . 518377 IN NS <a href="http://k.root-servers.net" rel="noreferrer" target="_blank">k.root-servers.net</a>.<br>
> . 518377 IN NS <a href="http://b.root-servers.net" rel="noreferrer" target="_blank">b.root-servers.net</a>.<br>
> . 518377 IN NS <a href="http://i.root-servers.net" rel="noreferrer" target="_blank">i.root-servers.net</a>.<br>
> . 518377 IN NS <a href="http://j.root-servers.net" rel="noreferrer" target="_blank">j.root-servers.net</a>.<br>
> . 518377 IN NS <a href="http://d.root-servers.net" rel="noreferrer" target="_blank">d.root-servers.net</a>.<br>
> . 518377 IN NS <a href="http://c.root-servers.net" rel="noreferrer" target="_blank">c.root-servers.net</a>.<br>
> . 518377 IN NS <a href="http://m.root-servers.net" rel="noreferrer" target="_blank">m.root-servers.net</a>.<br>
> . 518377 IN NS <a href="http://f.root-servers.net" rel="noreferrer" target="_blank">f.root-servers.net</a>.<br>
> . 518377 IN NS <a href="http://g.root-servers.net" rel="noreferrer" target="_blank">g.root-servers.net</a>.<br>
> . 518377 IN NS <a href="http://l.root-servers.net" rel="noreferrer" target="_blank">l.root-servers.net</a>.<br>
> . 518377 IN RRSIG NS 8 0 518400 20220411050000 20220329040000 9799 . keszTJZg3TCzY3s4UyinKYe7VwZGGf/8kHoWzJ2Ab3n4ctBt8gtleqC0 UZqIIjc9Ez9srWGGeNn2gRUtB65QvL99oX5gD5VI6h1SY81OC0HcBx2c 80SZJ0s9qpNmkDDcp4EUNlgoheDkBAtB3MsIRIVA6T746gBthcVKLHxC rpOy7ELdgDtHwtq8jL5QIFae6QlIGuO95nflzk31VoL/yhCxvpzIXEfq QJlJQf21YJtAtYnY7vJJwuDVT20y/cj5W7PNxSkNLMoukqUXOeH/w2yB 0yNkwbKLBZUkyrE5tQmlq5AnScofbT7ffOYB9o9ug39DgCTcqSeNZDYX 0Gekmg==<br>
> ;; Received 1137 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms<br>
> <br>
> by. 172800 IN NS <a href="http://dns5.tld.becloudby.com" rel="noreferrer" target="_blank">dns5.tld.becloudby.com</a>.<br>
> by. 172800 IN NS <a href="http://dns2.tld.becloudby.com" rel="noreferrer" target="_blank">dns2.tld.becloudby.com</a>.<br>
> by. 172800 IN NS <a href="http://dns3.tld.becloudby.com" rel="noreferrer" target="_blank">dns3.tld.becloudby.com</a>.<br>
> by. 172800 IN NS <a href="http://dns4.tld.becloudby.com" rel="noreferrer" target="_blank">dns4.tld.becloudby.com</a>.<br>
> by. 172800 IN NS <a href="http://dns1.tld.becloudby.com" rel="noreferrer" target="_blank">dns1.tld.becloudby.com</a>.<br>
> by. 86400 IN DS 495 13 2 2D14284F8E47B53F839BD8068D438680B4B6C7A645769C9D89B47DF0 C5359B7B<br>
> by. 86400 IN RRSIG DS 8 1 86400 20220411050000 20220329040000 9799 . IAk+oEOmuQVbb8RyxB9ML/GOwnLIaQdi0XMD8Y7san2AIx2lXeEZp3AV fNgYQfTnVrGyi3ylXNkVmQXnqDdrPK8iJu6mKvmaI40sQwv8xDyx5Fnz VaNHcY4+J3fQwSp+TrFxQuAlW3g3CFaUVNLk20V/TQUycVA75c+3TrW4 IQJ1aua0lDsG1JS7BigHryUH9Vy8nSyuikYOIiML0BTTTqFQN7yk4AiE 3gbYMuCsMHQKfAIXpswc/i1eGEW7yi5USnQqza4P2YEDrUhSUps5N2u5 /UwdS1BsmW17WZRbfDudeL4y471jwKhYgCCycGI1whtToDA452nvDJL2 it6mlg==<br>
> couldn't get address for '<a href="http://dns5.tld.becloudby.com" rel="noreferrer" target="_blank">dns5.tld.becloudby.com</a>': failure<br>
> couldn't get address for '<a href="http://dns2.tld.becloudby.com" rel="noreferrer" target="_blank">dns2.tld.becloudby.com</a>': failure<br>
> couldn't get address for '<a href="http://dns3.tld.becloudby.com" rel="noreferrer" target="_blank">dns3.tld.becloudby.com</a>': failure<br>
> couldn't get address for '<a href="http://dns4.tld.becloudby.com" rel="noreferrer" target="_blank">dns4.tld.becloudby.com</a>': failure<br>
> couldn't get address for '<a href="http://dns1.tld.becloudby.com" rel="noreferrer" target="_blank">dns1.tld.becloudby.com</a>': failure<br>
> dig: couldn't get address for '<a href="http://dns5.tld.becloudby.com" rel="noreferrer" target="_blank">dns5.tld.becloudby.com</a>': no more<br>
> <br>
> Request SERVFAILed. When I do "rndc flush" several times, the problem has gone for a while. After some time I get SERVFAIL again. Now I'm forwarding the zone to Google DNS and there is no such problem.<br>
> <br>
> There is a some debug log from BIND of the problem:<br>
> <br>
> <named.txt>-- <br>
> Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
> <br>
> ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
> <br>
> <br>
> bind-users mailing list<br>
> <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
> <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
<br>
</blockquote></div>