Hi all. Well, I'm stumped.
This is causing non-delivery of mail for the affected domain because it is blocking fallback from IPv6 to IPv4 for the domain. The problem smells like misconfigured IPv6 somewhere along the way, but all the servers involved (that have IPv6 addresses) seem to be answering OK. Using our local caching, recursive BIND9 nameservers, we get SERVFAIL on a particular domain, namely "mailergoat.rsi.co.jp". But from other places, we get NOERROR (which is the correct answer, because there is a A record with that name). However, from some places outside our network we also get SERVFAIL. Traces (using the +trace option to dig) are identical regardless of where we do them, besides some reordering of the nameserver results, which is normal. One oddity (at least it seems odd to me) is that a trace ends with two nameservers, gtm1.rsi.co.jp and gtm2.rsi.co.jp, that are not present in the nameserver list for rsi.co.jp, meaning that the domain mailergoat.rsi.co.jp has been delegated to them. When I ask either of those servers directly for the nameserver records for mailergoat.rsi.co.jp, I get NOERROR, but no answer. Asking those servers for "ANY" records for that name shows an A record and a TXT (SPF) record only. That makes this a lame delegation - but why do some recursive nameservers report it as SERVFAIL and some as NOERROR? A difference between nameservers, or nameserver versions? Any ideas gratefully received. See below for dig outputs demonstrating the above statements. Regards, K. dmz-rz-ap:[~]$ dig mailergoat.rsi.co.jp AAAA ; <<>> DiG 9.6.1-P3 <<>> mailergoat.rsi.co.jp AAAA ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 772 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN AAAA ;; Query time: 582 msec ;; SERVER: 129.132.98.12#53(129.132.98.12) ;; WHEN: Wed Apr 27 13:09:43 2011 ;; MSG SIZE rcvd: 38 But from other places, we get NOERROR (which is the correct answer, because there is a A record with that name). This via Google DNS: dns2-rz-ap:[log]$ dig mailergoat.rsi.co.jp AAAA @8.8.8.8 ; <<>> DiG 9.2.4 <<>> mailergoat.rsi.co.jp AAAA @8.8.8.8 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 518 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN AAAA ;; AUTHORITY SECTION: rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60 ;; Query time: 523 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Apr 27 13:10:07 2011 ;; MSG SIZE rcvd: 90 Note that there *is* an A record with that name: dmz-rz-ap:[~]$ dig mailergoat.rsi.co.jp ; <<>> DiG 9.6.1-P3 <<>> mailergoat.rsi.co.jp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1627 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN A ;; ANSWER SECTION: mailergoat.rsi.co.jp. 600 IN A 202.214.41.103 ;; AUTHORITY SECTION: mailergoat.rsi.co.jp. 260 IN NS gtm2.rsi.co.jp. mailergoat.rsi.co.jp. 260 IN NS gtm1.rsi.co.jp. ;; ADDITIONAL SECTION: gtm1.rsi.co.jp. 600 IN A 202.214.41.51 gtm2.rsi.co.jp. 600 IN A 202.25.214.15 ;; Query time: 592 msec ;; SERVER: 129.132.98.12#53(129.132.98.12) ;; WHEN: Wed Apr 27 13:14:56 2011 ;; MSG SIZE rcvd: 124 But from some places outside our network we also get SERVFAIL: kauer@karl:~$ dig mailergoat.rsi.co.jp AAAA ; <<>> DiG 9.7.1-P2 <<>> mailergoat.rsi.co.jp AAAA ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3850 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN AAAA ;; Query time: 544 msec ;; SERVER: 192.168.1.35#53(192.168.1.35) ;; WHEN: Wed Apr 27 21:09:40 2011 ;; MSG SIZE rcvd: 38 The following sequence of three digs shows that when I ask the reportedly authoritative servers directly about this name, they can and do answer correctly. It's only when the query recurses that SERVFAIL shows up: kauer@karl:~$ dig @gtm1.rsi.co.jp mailergoat.rsi.co.jp aaaa ; <<>> DiG 9.7.1-P2 <<>> @gtm1.rsi.co.jp mailergoat.rsi.co.jp aaaa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43306 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN AAAA ;; AUTHORITY SECTION: rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60 ;; Query time: 272 msec ;; SERVER: 202.214.41.51#53(202.214.41.51) ;; WHEN: Wed Apr 27 21:40:09 2011 ;; MSG SIZE rcvd: 90 kauer@karl:~$ dig @gtm2.rsi.co.jp mailergoat.rsi.co.jp aaaa ; <<>> DiG 9.7.1-P2 <<>> @gtm2.rsi.co.jp mailergoat.rsi.co.jp aaaa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13474 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN AAAA ;; AUTHORITY SECTION: rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60 ;; Query time: 239 msec ;; SERVER: 202.25.214.15#53(202.25.214.15) ;; WHEN: Wed Apr 27 21:40:16 2011 ;; MSG SIZE rcvd: 90 kauer@karl:~$ dig mailergoat.rsi.co.jp aaaa ; <<>> DiG 9.7.1-P2 <<>> mailergoat.rsi.co.jp aaaa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59506 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN AAAA ;; Query time: 692 msec ;; SERVER: 192.168.1.35#53(192.168.1.35) ;; WHEN: Wed Apr 27 21:40:24 2011 ;; MSG SIZE rcvd: 38 Asking gtm2 about nameservers for the domain: kauer@karl:~$ dig @gtm2.rsi.co.jp mailergoat.rsi.co.jp ns ; <<>> DiG 9.7.1-P2 <<>> @gtm2.rsi.co.jp mailergoat.rsi.co.jp ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44302 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN NS ;; AUTHORITY SECTION: rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60 ;; Query time: 222 msec ;; SERVER: 202.25.214.15#53(202.25.214.15) ;; WHEN: Wed Apr 27 22:02:01 2011 ;; MSG SIZE rcvd: 90 Asking gtm1 about nameservers for the domain: kauer@karl:~$ dig @gtm1.rsi.co.jp mailergoat.rsi.co.jp ns ; <<>> DiG 9.7.1-P2 <<>> @gtm1.rsi.co.jp mailergoat.rsi.co.jp ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28074 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN NS ;; AUTHORITY SECTION: rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60 ;; Query time: 272 msec ;; SERVER: 202.214.41.51#53(202.214.41.51) ;; WHEN: Wed Apr 27 22:05:33 2011 ;; MSG SIZE rcvd: 90 And in fact, only A and TXT records exist: kauer@karl:~$ dig @gtm1.rsi.co.jp mailergoat.rsi.co.jp any ; <<>> DiG 9.7.1-P2 <<>> @gtm1.rsi.co.jp mailergoat.rsi.co.jp any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30639 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mailergoat.rsi.co.jp. IN ANY ;; ANSWER SECTION: mailergoat.rsi.co.jp. 600 IN A 202.214.41.103 mailergoat.rsi.co.jp. 600 IN TXT "v=spf1 a:mailergoat.rsi.co.jp ?all" ;; AUTHORITY SECTION: rsi.co.jp. 500 IN NS gtm1.rsi.co.jp. ;; Query time: 264 msec ;; SERVER: 202.214.41.51#53(202.214.41.51) ;; WHEN: Wed Apr 27 22:06:19 2011 ;; MSG SIZE rcvd: 120 -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/kauer/ +61-428-957160 (mob) GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
signature.asc
Description: This is a digitally signed message part
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users