Hello,
I have been trying to find out why my caching servers are giving
SERVFAIL as an answer for any type of query except for an A record for the
domain in the subject. Whether I try a AAAA, TXT, SOA, PTR, TXT, etc, I get a
SERVFAIL answer. Yet, it seems that anyone else in the world is getting
NOERROR. Now, when I direct the query to the Microsoft DNS servers (8.8.8.8), I
also get NOERROR. I have tried different versions of clients (9.4.3-P5 and
9.6-ESV-R4-P3) and get the same response, so I do not think that is the issue.
When I use a 'dig +trace', the end of the chain shows a server that
does not exist in the last answer consisting of the SOA record. In fact, since
Sungard is involved, the whole chain makes no sense to me. I have edited out
the extra stuff, but here is what I try to do.
First, here is the 'dig +trace' with an A query. I left out the list of the
root and gtld servers.
[bischrf@nsc1 ~]$ dig +trace ocsp.entrust.net. a
;; Received 300 bytes from 192.149.130.101#53(192.149.130.101) in 0 ms
;; Received 491 bytes from 192.5.5.241#53(f.root-servers.net) in 26 ms
entrust.net. 172800 IN NS secondary-ns1.allstream.com.
entrust.net. 172800 IN NS secondary-ns2.allstream.com.
entrust.net. 172800 IN NS ns1.entrust.net.
entrust.net. 172800 IN NS ns2.entrust.net.
;; Received 203 bytes from 192.42.93.30#53(g.gtld-servers.net) in 115 ms
ocsp.entrust.net. 7200 IN NS gns1.sungardns.com.
ocsp.entrust.net. 7200 IN NS gns2.sungardns.com.
;; Received 85 bytes from 216.13.122.23#53(secondary-ns1.allstream.com) in 120
ms
ocsp.entrust.net. 30 IN A 216.191.247.139
;; Received 50 bytes from 207.19.96.22#53(gns1.sungardns.com) in 109 ms
------------------------
Then a 'dig +trace' looking for the AAAA record.
[bischrf@nsc1 ~]$ dig +trace ocsp.entrust.net. aaaa
;; Received 344 bytes from 192.149.130.101#53(192.149.130.101) in 0 ms
;; Received 491 bytes from 199.7.83.42#53(l.root-servers.net) in 160 ms
entrust.net. 172800 IN NS secondary-ns1.allstream.com.
entrust.net. 172800 IN NS secondary-ns2.allstream.com.
entrust.net. 172800 IN NS ns1.entrust.net.
entrust.net. 172800 IN NS ns2.entrust.net.
;; Received 203 bytes from 192.26.92.30#53(c.gtld-servers.net) in 34 ms
ocsp.entrust.net. 7200 IN NS gns1.sungardns.com.
ocsp.entrust.net. 7200 IN NS gns2.sungardns.com.
;; Received 85 bytes from 216.191.247.202#53(ns2.entrust.net) in 125 ms
entrust.net. 60 IN SOA phlig3.oamp.sgns.net.
hostmaster.phlig3.oamp.sgns.net. 42 10800 3600 604800 60
;; Received 98 bytes from 207.19.96.22#53(gns1.sungardns.com) in 111 ms
NOTE: phlig3.oamp.sgns.net does not exist.
----------------------------------
Here is the query that works.
[bischrf@nsc1 ~]$ dig ocsp.entrust.net. a
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29329
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; ANSWER SECTION:
ocsp.entrust.net. 24 IN A 216.191.247.203
;; AUTHORITY SECTION:
ocsp.entrust.net. 1675 IN NS gns1.sungardns.com.
ocsp.entrust.net. 1675 IN NS gns2.sungardns.com.
---------------------------
Now a AAAA query. Note there is no authority.
[bischrf@nsc1 ~]$ dig ocsp.entrust.net. aaaa
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20073
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
--------------------------
So now I try to follow the chain.
1) Query entrust.net. for the NS records. I get 4.
[bischrf@nsc1 ~]$ dig entrust.net. ns
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17958
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;; ANSWER SECTION:
entrust.net. 1617 IN NS ns2.entrust.net.
entrust.net. 1617 IN NS secondary-ns1.allstream.com.
entrust.net. 1617 IN NS ns1.entrust.net.
entrust.net. 1617 IN NS secondary-ns2.allstream.com.
---------------------
2) I pick one of those and ask for the NS records for ocsp.entrust.net.
[bischrf@nsc1 ~]$ dig @ns1.entrust.net. ocsp.entrust.net. ns
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7029
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; AUTHORITY SECTION:
ocsp.entrust.net. 7200 IN NS gns1.sungardns.com.
ocsp.entrust.net. 7200 IN NS gns2.sungardns.com.
----------------------
3) I pick one of those and try a AAAA query.
[bischrf@nsc1 ~]$ dig @gns1.sungardns.com. ocsp.entrust.net. aaaa
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4292
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; AUTHORITY SECTION:
entrust.net. 60 IN SOA phlig3.oamp.sgns.net.
hostmaster.phlig3.oamp.sgns.net. 42 10800 3600 604800 60
------------------------------
Note above that I do get an authority, yet the MNAME does not exist. In fact,
when I direct a query to the Microsoft DNS server for the record
"phlig3.oamp.sgns.net", I get a SERVFAIL.
[bischrf@nsc1 ~]$ dig @8.8.8.8 phlig3.oamp.sgns.net.
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58650
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
-------------------------------
So I try to find what is up with that record and I end up with a dead end at
the NS records for oamp.sgns.net. I find the NS records, but I cannot get an IP
for either one of them.
[bischrf@nsc1 ~]$ dig sgns.net. ns
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19454
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; ANSWER SECTION:
sgns.net. 1779 IN NS ns2.sungardns.com.
sgns.net. 1779 IN NS ns1.sungardns.com.
-------------------------------------------
[bischrf@nsc1 ~]$ dig @ns2.sungardns.com. oamp.sgns.net. ns
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64087
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; AUTHORITY SECTION:
oamp.sgns.net. 3600 IN NS phlnn1.oamp.sgns.net.
oamp.sgns.net. 3600 IN NS hounn1.oamp.sgns.net.
------------------------------
[bischrf@nsc1 ~]$ dig @ns2.sungardns.com. phlnn1.oamp.sgns.net.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25825
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; AUTHORITY SECTION:
oamp.sgns.net. 3600 IN NS phlnn1.oamp.sgns.net.
oamp.sgns.net. 3600 IN NS hounn1.oamp.sgns.net.
-------------------------------------
[bischrf@nsc1 ~]$ dig @ns2.sungardns.com. hounn1.oamp.sgns.net.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56868
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; AUTHORITY SECTION:
oamp.sgns.net. 3600 IN NS phlnn1.oamp.sgns.net.
oamp.sgns.net. 3600 IN NS hounn1.oamp.sgns.net.
---------------------------
I did talk with both Sungard and Entrust on what I found and they sent
me an email that they fixed "something" last night. How can I troubleshoot more
why my servers are reporting SERVFAIL for any non-A types for this domain where
it seems that everyone else in the world is getting NOERROR? Thank you for
reading this far and any help that you can provide.
Thank you,
Ralph F. Bischof, Jr.
NASA Agency IPAM/DNS/DHCP
SAIC/NICS
256-544-3982
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
