Re: BIND9 SERVFAIL on some .gov addresses
- From: Ryan Novosielski <novosirj@xxxxxxxxx>
- Date: Fri, 11 Feb 2011 13:21:28 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/10/2011 04:19 PM, Chuck Swiger wrote:
On Feb 10, 2011, at 12:39 PM, Ryan Novosielski wrote:
health.nyc.gov query-errors:
10-Feb-2011 15:32:30.682 query-errors: debug 1: client
130.219.34.129#55935: query failed (SERVFAIL) for health.nyc.gov/IN/MX
at query.c:4630
10-Feb-2011 15:32:30.682 query-errors: debug 2: fetch completed at
resolver.c:3057 for health.nyc.gov/MX in 0.000046: failure/success
[domain:nyc.GOV,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0
The adberr count looks like it can only be incremented by two code sections in lib/dns/resolver.c:
if (result != ISC_R_SUCCESS) {
if (result == DNS_R_ALIAS) {
/*
* XXXRTH Follow the CNAME/DNAME chain?
*/
dns_adb_destroyfind(&find);
fctx->adberr++;
}
}
[ ...and... ]
if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0)
fctx->lamecount++; /* cached lame server */
else
fctx->adberr++; /* unreachable server, etc. */
This implies a connectivity issue between your client and the nyc.gov nameservers, I think.
But there are local wizards lurking who are much more familiar with the code than I....
It is starting to appear as if this is an issue relating to EDNS, though
I can't see specifically how. It does not appear to even be a size
related issue, but instead possibly something to do with packet
fragmentation. I built a BIND 9.6.2 server on a CentOS VM -- works fine
off our network (connected via Verizon Wireless), but does not work on
campus.
What I don't quite understand is why querying say 8.8.8.8 with a copy of
dig on our network would work. Isn't the same thing ultimately going to
have to pass through the same place in our firewall/network eventually
whether it's a nameserver asking for it or a client?
- --
- ---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| | | |__/ | \| _| |novosirj@xxxxxxxxx - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1VfigACgkQmb+gadEcsb6i8gCgm2YnVtwVFTycUKK/JQgM9eTP
6WoAnAuZ31BQR4+xdWbyc9+tur1joI9i
=CIn8
-----END PGP SIGNATURE-----
begin:vcard
fn:Ryan Novosielski
n:Novosielski;Ryan
org:UMDNJ;IST/CST
adr;dom:ADMC 450;;30 Bergen St.;Newark;NJ;07107-3000
email;internet:novosirj@xxxxxxxxx
title:Sr. Systems Programmer
tel;work:(973) 972-0922
tel;fax:(973) 972-7412
tel;pager:(866) 20-UMDNJ
x-mozilla-html:FALSE
version:2.1
end:vcard
- Prev by Date: additional empty zones
- Next by Date: Re: multi-master with mysql backend
- Previous by thread: Re: BIND9 SERVFAIL on some .gov addresses
- Next by thread: named_dump - record where answer came from?
- Index(es):
Relevant Pages
|
