In message <4e9b037f-4c66-460e-b70f-5ce9619ff...@takizo.com>, Paul Ooi Cong Jen
writes:
> Hi All,
>
> I am having problem with Bind query, but not sure is it client error or server
> error.
> Below is the server details.
>
> Server running FreeBSD 8.1
> Bind 9.7.0-P3
Upgrade. You really don't want to be running Bind 9.7.0-P3 any more.
> options {
> query-source address * port *;
> use-v4-udp-ports { range 2048 65535; };
> recursive-clients 20000;
> recursion yes;
>
> allow-recursion {
> any;
> };
>
> allow-query {
> any;
> };
>
> allow-transfer {
> trusted;
> };
> }
>
> When I try to dig the domain name, received SERVFAIL status but when +trace in
> itiate, it seem fine
>
> --------------
>
> dig @localhost www.kwsp.gov.my
>
> ; <<>> DiG 9.7.0-P3 <<>> @localhost www.kwsp.gov.my
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32501
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.kwsp.gov.my. IN A
>
> ;; Query time: 384 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Dec 22 15:02:41 2010
> ;; MSG SIZE rcvd: 33
>
> -------------------------
>
> -------------------------
> dig @localhost www.kwsp.gov.my +trace
>
> ; <<>> DiG 9.7.0-P3 <<>> @localhost www.kwsp.gov.my +trace
> ; (2 servers found)
> ;; global options: +cmd
> . 518400 IN NS k.root-servers.net.
> . 518400 IN NS e.root-servers.net.
> . 518400 IN NS h.root-servers.net.
> . 518400 IN NS c.root-servers.net.
> . 518400 IN NS m.root-servers.net.
> . 518400 IN NS i.root-servers.net.
> . 518400 IN NS d.root-servers.net.
> . 518400 IN NS a.root-servers.net.
> . 518400 IN NS l.root-servers.net.
> . 518400 IN NS b.root-servers.net.
> . 518400 IN NS f.root-servers.net.
> . 518400 IN NS j.root-servers.net.
> . 518400 IN NS g.root-servers.net.
> ;; Received 504 bytes from 127.0.0.1#53(127.0.0.1) in 2 ms
>
> my. 172800 IN NS dns.mynic.net.my.
> my. 172800 IN NS ns20.iij.ad.jp.
> my. 172800 IN NS ns2.cuhk.edu.hk.
> my. 172800 IN NS ns5.jaring.my.
> my. 172800 IN NS ns6.jaring.my.
> my. 172800 IN NS ns-my.nic.fr.
> my. 172800 IN NS dns2.mynic.net.my.
> ;; Received 486 bytes from 192.5.5.241#53(f.root-servers.net) in 5 ms
>
> gov.my. 86400 IN NS ns5.jaring.my.
> gov.my. 86400 IN NS ns20.iij.ad.jp.
> gov.my. 86400 IN NS ns2.cuhk.edu.hk.
> gov.my. 86400 IN NS dns1.mynic.net.my.
> gov.my. 86400 IN NS ns6.jaring.my.
> ;; Received 266 bytes from 192.134.0.49#53(ns-my.nic.fr) in 351 ms
>
> kwsp.gov.my. 86400 IN NS harimau.skali.com.my.
> kwsp.gov.my. 86400 IN NS rusa.skali.com.my.
> kwsp.gov.my. 86400 IN NS ns3.pttcdc.com.my.
> ;; Received 109 bytes from 137.189.6.21#53(ns2.cuhk.edu.hk) in 52 ms
>
> www.kwsp.gov.my. 43200 IN CNAME www.yu.kwsp.gov.my.
> ;; Received 54 bytes from 202.184.117.10#53(ns3.pttcdc.com.my) in 21 ms
> -----------------------------------------------
>
> If I tried to rndc flush, dig again the record return the result
>
> ------------------------------
>
> dig @localhost www.kwsp.gov.my
>
> ; <<>> DiG 9.7.0-P3 <<>> @localhost www.kwsp.gov.my
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20092
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.kwsp.gov.my. IN A
>
> ;; ANSWER SECTION:
> www.kwsp.gov.my. 43186 IN CNAME www.yu.kwsp.gov.my.
> www.yu.kwsp.gov.my. 30 IN A 202.162.21.166
>
> ;; AUTHORITY SECTION:
> yu.kwsp.gov.my. 43200 IN NS ns2.yu.kwsp.gov.my.
> yu.kwsp.gov.my. 43200 IN NS ns1.yu.kwsp.gov.my.
>
> ;; Query time: 829 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Dec 22 15:04:55 2010
> ;; MSG SIZE rcvd: 106
>
> ------------------------
>
>
> >From the debug logs, we see the error message as below
>
> gov.my/IN/A at query.c:4650
> 22-Dec-2010 14:38:52.845 query-errors: client 211.24.220.233#54055: query fail
> ed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> 22-Dec-2010 14:38:52.845 query-errors: client 211.24.220.233#54023: query fail
> ed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> 22-Dec-2010 14:40:27.940 query-errors: client 203.121.30.35#52679: query faile
> d (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> 22-Dec-2010 14:40:27.940 query-errors: client 211.24.220.233#54143: query fail
> ed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.177.146#62297: query fail
> ed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.220.233#54459: query fail
> ed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.220.233#54473: query fail
> ed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> 22-Dec-2010 14:43:48.202 query-errors: client 211.24.177.146#62297: query fail
> ed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> 22-Dec-2010 14:44:48.290 query-errors: client 211.24.220.233#54530: query fail
> ed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> 22-Dec-2010 14:44:48.290 query-errors: client 127.0.0.1#19009: query failed (S
> ERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
> 22-Dec-2010 14:44:48.290 query-errors: client 211.24.220.233#54547: query fail
> ed (SERVFAIL) for www.kwsp.gov.my/IN/A at query.c:4650
>
> On the other hand, we notice that the NS record seem like no DNS service runni
> ng, could it be client side or server side problem?
>
> --
> Paul Ooi
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
The problem is that the yu.kwsp.gov.my is not set up correctly.
After named looks up www.kwsp.gov.my and finds the CNAME pointing
to www.yu.kwsp.gov.my it then has to lookup www.yu.kwsp.gov.my which
is delegated to ns1.yu.kwsp.gov.my and ns2.yu.kwsp.gov.my. These
nameservers tell the world that ns1.yu.kwsp.gov.my and ns2.yu.kwsp.gov.my
don't exist (below) and once named learns these answers the lookups of
www.kwsp.gov.my fail.
The rndc flush helps because it clears out the negative cache entries
saying that the name does not exist and the new lookup is still
using the glue addresses records.
The fix is for hostmas...@rjgtm.kwsp.gov.my to add the address
records for ns1.yu.kwsp.gov.my and ns2.yu.kwsp.gov.my to the
yu.kwsp.gov.my zone.
Mark
; <<>> DiG 9.6.0-APPLE-P2 <<>> ns2.yu.kwsp.gov.my @202.162.21.163
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27979
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns2.yu.kwsp.gov.my. IN A
;; AUTHORITY SECTION:
yu.kwsp.gov.my. 60 IN SOA rjgtm.kwsp.gov.my.
hostmaster.rjgtm.kwsp.gov.my. 12 10800 3600 604800 60
;; Query time: 359 msec
;; SERVER: 202.162.21.163#53(202.162.21.163)
;; WHEN: Thu Dec 23 07:26:56 2010
;; MSG SIZE rcvd: 89
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
