Re: BIND9 SERVFAIL on some .gov addresses

Ryan Novosielski Fri, 11 Feb 2011 10:26:29 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/10/2011 04:19 PM, Chuck Swiger wrote:
> On Feb 10, 2011, at 12:39 PM, Ryan Novosielski wrote:
>> health.nyc.gov query-errors:
>>
>> 10-Feb-2011 15:32:30.682 query-errors: debug 1: client
>> 130.219.34.129#55935: query failed (SERVFAIL) for health.nyc.gov/IN/MX
>> at query.c:4630
>> 10-Feb-2011 15:32:30.682 query-errors: debug 2: fetch completed at
>> resolver.c:3057 for health.nyc.gov/MX in 0.000046: failure/success
>> [domain:nyc.GOV,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0
> 
> The adberr count looks like it can only be incremented by two code sections 
> in lib/dns/resolver.c:
> 
>         if (result != ISC_R_SUCCESS) {
>                 if (result == DNS_R_ALIAS) {
>                         /*
>                          * XXXRTH  Follow the CNAME/DNAME chain?
>                          */
>                         dns_adb_destroyfind(&find);
>                         fctx->adberr++;
>                 }
>         }
> 
> [ ...and... ]
> 
>                         if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0)
>                                 fctx->lamecount++; /* cached lame server */
>                         else
>                                 fctx->adberr++; /* unreachable server, etc. */
> 
> This implies a connectivity issue between your client and the nyc.gov 
> nameservers, I think.
> But there are local wizards lurking who are much more familiar with the code 
> than I....


It is starting to appear as if this is an issue relating to EDNS, though
I can't see specifically how. It does not appear to even be a size
related issue, but instead possibly something to do with packet
fragmentation. I built a BIND 9.6.2 server on a CentOS VM -- works fine
off our network (connected via Verizon Wireless), but does not work on
campus.

What I don't quite understand is why querying say 8.8.8.8 with a copy of
dig on our network would work. Isn't the same thing ultimately going to
have to pass through the same place in our firewall/network eventually
whether it's a nameserver asking for it or a client?

- -- 
- ---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |[email protected] - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1VfigACgkQmb+gadEcsb6i8gCgm2YnVtwVFTycUKK/JQgM9eTP
6WoAnAuZ31BQR4+xdWbyc9+tur1joI9i
=CIn8
-----END PGP SIGNATURE-----

<<attachment: novosirj.vcf>>

_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND9 SERVFAIL on some .gov addresses

Reply via email to