Hi, I found this kind of query-errors referral:1,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0 -----8<-----8<-----8<----- Sep 24 20:22:23 cow named[8034]: queries: info: client @0x7fb13f0168 192.168.38.49#50058 (shavar.services.mozilla.com): query: shavar.services.mozilla.com IN A + (192.168.38.1) Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: shavar.services.mozilla.com/A Sep 24 20:22:23 cow named[8034]: queries: info: client @0x7fb65ec168 192.168.38.49#62908 (content-signature-2.cdn.mozilla.net): query: content-signature-2.cdn.mozilla.net IN A + (192.168.38.1) Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: content-signature-2.cdn.mozilla.net/A Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: mozilla.net/NS Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: shavar.prod.mozaws.net/A Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: cdn.mozilla.net/NS Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: mozilla.net/DS Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: content-signature-chains.prod.autograph.services.mozaws.net/A Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: services.mozaws.net/NS Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: autograph.services.mozaws.net/NS Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-283.awsdns-35.com/A Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-283.awsdns-35.com/AAAA Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-631.awsdns-14.net/A Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-631.awsdns-14.net/AAAA Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-1136.awsdns-14.org/A Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-1136.awsdns-14.org/AAAA Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-1973.awsdns-54.co.uk/A Sep 24 20:22:23 cow named[8034]: resolver: debug 1: fetch: ns-1973.awsdns-54.co.uk/AAAA Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-495.awsdns-61.com/A Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-495.awsdns-61.com/AAAA Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-806.awsdns-36.net/A Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-806.awsdns-36.net/AAAA Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-1483.awsdns-57.org/A Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-1483.awsdns-57.org/AAAA Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-1689.awsdns-19.co.uk/A Sep 24 20:22:24 cow named[8034]: resolver: debug 1: fetch: ns-1689.awsdns-19.co.uk/AAAA Sep 24 20:22:24 cow named[8034]: query-errors: info: client @0x7fb65ec168 192.168.38.49#62908 (content-signature-2.cdn.mozilla.net): query failed (SERVFAIL) for content-signature-2.cdn.mozilla.net/IN/A at query.c:7837 Sep 24 20:22:24 cow named[8034]: query-errors: debug 2: fetch completed at resolver.c:4144 for content-signature-chains.prod.autograph.services.mozaws.net/A in 0.551997: SERVFAIL/success [domain:prod.autograph.services.mozaws.net,referral:1,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] -----8<-----8<-----8<-----
According to the document[1], resolver had 1 referral received and 1 cycle the resolver tried and at least sent one query. But I don't understand why the qrysent is 0 ? This kind of query-errors would happen on other domains. My environment is a Raspberry Pi 4 with old Debian 10 linux. I downloaded the bind 9.18.30 source[2] and build by myself. -----8<-----8<-----8<----- $ /usr/local/sbin/named -V BIND 9.18.30 (Extended Support Version) <id:cdc8d69> running on Linux aarch64 5.10.103-v8+ #1529 SMP PREEMPT Tue Mar 8 12:26:46 GMT 2022 built by make with '--with-json-c' '--enable-dnstap' '--with-libxml2' '--without-lmdb' '--with-tuning=small' '--with-libidn2' '--sysconfdir=/etc/bind' compiled by GCC 8.3.0 compiled with OpenSSL version: OpenSSL 1.1.1n 15 Mar 2022 linked to OpenSSL version: OpenSSL 1.1.1n 15 Mar 2022 compiled with libuv version: 1.24.1 linked to libuv version: 1.24.1 compiled with libnghttp2 version: 1.36.0 linked to libnghttp2 version: 1.36.0 compiled with libxml2 version: 2.9.4 linked to libxml2 version: 20904 compiled with json-c version: 0.12.1 linked to json-c version: 0.12.1 compiled with zlib version: 1.2.11 linked to zlib version: 1.2.11 compiled with protobuf-c version: 1.3.1 linked to protobuf-c version: 1.3.1 threads support is enabled DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448 DS algorithms: SHA-1 SHA-256 SHA-384 HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512 TKEY mode 2 support (Diffie-Hellman): yes TKEY mode 3 support (GSS-API): no default paths: named configuration: /etc/bind/named.conf rndc configuration: /etc/bind/rndc.conf DNSSEC root key: /etc/bind/bind.keys nsupdate session key: /usr/local/var/run/named/session.key named PID file: /usr/local/var/run/named/named.pid named lock file: /usr/local/var/run/named/named.lock -----8<-----8<-----8<----- I download and build the new version of the bind is because the debian one is old and had many query errors for years. I thought the newer bind could solve the query errors. But it seems not solve the problems. I'll continue to find the problems in my environment. By the way, there is a typo on the document[1] that the log example is "for www.example.com/A" but the below text said "recursive resolution for AAAA record of www.example.com". [1] https://downloads.isc.org/isc/bind9/9.18.30/doc/arm/Bv9ARM.pdf Chapter 8, page 108. [2] https://downloads.isc.org/isc/bind9/9.18.30/bind-9.18.30.tar.xz -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users