I wrote:
>> In response to a posting "Re: Two DNS Servers inside a firewall"
>> Mark Andrews wrote on September 5:
>>
>>
>>> Below is a example of such a bad delegation. The last SOA
>>> record should be owned by www.lawlink.nsw.gov.au not
>>> lawlink.nsw.gov.au. It results in SERVFAIL being returned.
>>>
>>> Mark
>>>
>>>
>>> ; <<>> DiG 9.3.4-P1 <<>> aaaa www.lawlink.nsw.gov.au
>>> ;; global options: printcmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56606
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;www.lawlink.nsw.gov.au. IN AAAA
>>>
>>> ;; Query time: 63 msec
>>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>>> ;; WHEN: Fri Sep 5 12:01:30 2008
>>> ;; MSG SIZE rcvd: 40
>>>
>>> ; <<>> DiG 9.3.4-P1 <<>> www.lawlink.nsw.gov.au aaaa +trace
>>> ;; global options: printcmd
>>> . 440024 IN NS h.root-servers.net.
>>> . 440024 IN NS d.root-servers.net.
>>> . 440024 IN NS g.root-servers.net.
>>> . 440024 IN NS i.root-servers.net.
>>> . 440024 IN NS b.root-servers.net.
>>> . 440024 IN NS l.root-servers.net.
>>> . 440024 IN NS m.root-servers.net.
>>> . 440024 IN NS e.root-servers.net.
>>> . 440024 IN NS f.root-servers.net.
>>> . 440024 IN NS a.root-servers.net.
>>> . 440024 IN NS j.root-servers.net.
>>> . 440024 IN NS c.root-servers.net.
>>> . 440024 IN NS k.root-servers.net.
>>> ;; Received 504 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms
>>>
>>> au. 172800 IN NS ns1.audns.net.au.
>>> au. 172800 IN NS dns1.telstra.net.
>>> au. 172800 IN NS sec1.apnic.net.
>>> au. 172800 IN NS sec3.apnic.net.
>>> au. 172800 IN NS adns1.berkeley.edu.
>>> au. 172800 IN NS adns2.berkeley.edu.
>>> au. 172800 IN NS audns.optus.net.
>>> au. 172800 IN NS aunic.aunic.net.
>>> ;; Received 430 bytes from 2001:500:1::803f:235#53(h.root-servers.net) in
>>> 244 ms
>>>
>>> lawlink.nsw.gov.au. 3600 IN NS ns3.uecomm.net.au.
>>> lawlink.nsw.gov.au. 3600 IN NS ns1.uecomm.net.au.
>>> lawlink.nsw.gov.au. 3600 IN NS ns2.uecomm.net.au.
>>> ;; Received 105 bytes from 58.65.255.73#53(ns1.audns.net.au) in 42 ms
>>>
>>> www.lawlink.nsw.gov.au. 3600 IN NS ns1.lawlink.nsw.gov.au.
>>> www.lawlink.nsw.gov.au. 3600 IN NS ns2.lawlink.nsw.gov.au.
>>> ;; Received 108 bytes from 203.94.128.54#53(ns1.uecomm.net.au) in 39 ms
>>>
>>> lawlink.nsw.gov.au. 86400 IN SOA lawlink.nsw.gov.au.
>>> administrator.lawlink.nsw.gov.au. 998545544 28800 7200 604800 86400
>>> ;; Received 144 bytes from 203.3.186.53#53(ns1.lawlink.nsw.gov.au) in 32 ms
>>>
>>
>>
>> I have a user who cannot resolve
>>
>> www.flickr.com
>>
>> The name server I am querying is 9.5.0-P1 (to be updated to a patched
>> P2 tomorrow). When I query at one of the autoritative name servers,
>> I get:
>>
>> oberon% dig www.flickr.com @ns1.yahoo.com.
>>
>> ; <<>> DiG 8.3 <<>> www.flickr.com @ns1.yahoo.com.
>> ; (1 server found)
>> ;; res options: init recurs defnam dnsrch
>> ;; got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
>> ;; QUERY SECTION:
>> ;; www.flickr.com, type = A, class = IN
>>
>> ;; ANSWER SECTION:
>> www.flickr.com. 5M IN CNAME www.flickr.vip.mud.yahoo.com.
>> www.flickr.vip.mud.yahoo.com. 15M IN A 68.142.214.24
>>
>> ;; AUTHORITY SECTION:
>> mud.yahoo.com. 2D IN NS ns1.yahoo.com.
>> mud.yahoo.com. 2D IN NS ns2.yahoo.com.
>> mud.yahoo.com. 2D IN NS ns3.yahoo.com.
>> mud.yahoo.com. 2D IN NS ns4.yahoo.com.
>> mud.yahoo.com. 2D IN NS ns5.yahoo.com.
>>
>> ;; ADDITIONAL SECTION:
>> ns1.yahoo.com. 2D IN A 66.218.71.63
>> ns2.yahoo.com. 2D IN A 68.142.255.16
>> ns3.yahoo.com. 2D IN A 217.12.4.104
>> ns4.yahoo.com. 2D IN A 68.142.196.63
>> ns5.yahoo.com. 30M IN A 119.160.247.124
>>
>> ;; Total query time: 64 msec
>> ;; FROM: oberon.it.anl.gov to SERVER: ns1.yahoo.com. 66.218.71.63
>> ;; WHEN: Tue Sep 9 13:25:03 2008
>> ;; MSG SIZE sent: 32 rcvd: 257
>>
>> oberon%
>>
>> but a general query results in SERVFAIL:
>>
>> oberon% dig www.flickr.com
>>
>> ; <<>> DiG 8.3 <<>> www.flickr.com
>> ;; res options: init recurs defnam dnsrch
>> ;; got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>> ;; QUERY SECTION:
>> ;; www.flickr.com, type = A, class = IN
>>
>> ;; Total query time: 9 msec
>> ;; FROM: oberon.it.anl.gov to SERVER: default -- 146.139.254.5
>> ;; WHEN: Tue Sep 9 13:22:46 2008
>> ;; MSG SIZE sent: 32 rcvd: 32
>>
>> oberon%
>>
>> I notice that when I query one of the authoritative name servers I
>> get
>>
>> ;; ANSWER SECTION:
>> www.flickr.com. 5M IN CNAME www.flickr.vip.mud.yahoo.com.
>> www.flickr.vip.mud.yahoo.com. 15M IN A 68.142.214.24
>>
>> ;; AUTHORITY SECTION:
>> mud.yahoo.com. 2D IN NS ns1.yahoo.com.
>> mud.yahoo.com. 2D IN NS ns2.yahoo.com.
>> mud.yahoo.com. 2D IN NS ns3.yahoo.com.
>> mud.yahoo.com. 2D IN NS ns4.yahoo.com.
>> mud.yahoo.com. 2D IN NS ns5.yahoo.com.
>>
>> Is the SERVFAIL because I queried
>>
>> flickr.com
>>
>> and the authority is
>>
>> mud.yahoo.com ?
>>
And Kevin Darcy replied:
>No, that's perfectly normal. CNAMEs point to names in other domains all
>the time. The only thing slightly unusual here is that the nameservers
>for flickr.com also happen to be authoritative for the zone which
>contains the target of the alias (www.flickr.vip.mud.yahoo.com) and are
>therefore able to provide the A record without any further need for
>referral-chasing. But that's _relatively_ normal too.
>> If not, then why am I getting SERVFAIL? Thanks.
>>
>Does a dig +trace for www.flickr.com work?
>
>If you have port and/or source-address restrictions in named.conf, make
>sure you're using the same port and/or source-address for your test
>queries. Otherwise it's not really a valid test.
>
>If you're still getting SERVFAIL for your regular queries, but not for
>your test queries, dump your cache and see if maybe you're trying to use
>some bad/stale/obsolete cached glue/referral data in order to resolve
>the name.
I did an "rndc dumpdb", and I did not see any stale glue in the cache.
But I am not sure exactly for what to search.
I have no port and/or source-address restrictions in named.conf.
When I do the "dig www.flickr.com" on my two external DNS servers
(both 9.5.0-P2 with Jinmei's dumpdb patch) the queries succeed.
When I issue the command on my two internal DNS servers (one the
patched -P2 and one still 9.5.0-P1), both servers give SERVFAIL.
I looked at the source code (query.c) yesterday, and there are 23
cases for SERVFAIL. Before some of the SERVFAIL lines I see
CTRACE("...");
How do I enable this tracing? Or is there another way to determine
which SERVFAIL code is matching in query.c?
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: [EMAIL PROTECTED]
Argonne, IL 60439-4828 IBMMAIL: I1004994
