Hi, our BIND recursors apparently intermittently return ServFail error code for lookups e.g. of bugs.FreeBSD.org, and now I've caught it in the act.
I've used http://dnsviz.net/ on both FreeBSD.org, isc-sns.net, isc-sns.info and isc-sns.com (names for the name servers of FreeBSD org sits in these zones), and everything comes back "no problems found", except for a warning there's no AAAA glue for ns2.isc-sns.com, which should be insignificant. So there's apparently no obvious DNSSEC issues and no significant delegation problems. I've turned on DNS query sniffing, and this is an exchange I find related to the lookup of _http._tcp.pkg.FreeBSD.org: 14:20:49.650641 IP6 2001:700:0:503::ca53.62329 > 2001:5a0:10::1.53: 17761 [1au] DNSKEY? freebsd.org. (52) 14:20:58.138824 IP 128.39.46.118.54758 > 158.38.0.168.53: 31772+ [1au] SRV? _http._tcp.pkg.FreeBSD.org. (55) 14:21:06.150953 IP6 2001:700:0:503::ca53.55159 > 2001:5a0:10::1.53: 10140 [1au] SRV? _http._tcp.pkg.FreeBSD.org. (67) 14:21:06.150981 IP6 2001:700:0:503::ca53.54491 > 2001:5a0:10::1.53: 11227% [1au] A? ns1.isc-sns.net. (56) 14:21:06.151099 IP 158.38.0.168.53 > 128.39.46.118.54758: 31772 ServFail 0/0/1 (55) 14:21:07.012643 IP6 2001:5a0:10::1.53 > 2001:700:0:503::ca53.57326: 20041*- 2/4/9 A 72.52.71.1, RRSIG (1104) Yes, there are other packets in-between, but nothing related to freebsd.org or isc-sns, and, yes, I've included two more packets to/from the 2001:5a0:10::1 name server, which is ns3.isc-sns.info according to ip6.arpa. So ... why does BIND apparently "sit" on the client query received at 14:20:58.138824 for 7s before originating a new query to resolve the client query, and then almost immediately return a ServFail to the client?!? The last packet looks "odd", though it appears to be the response to the A ns1.isc-sns.net query, I can't re-find query-id 20041, and also not the 57326 port number. I also can't find the DNSKEY response to the very first query in the packet trace. I'm logging "query errors", and run with debuglevel=2, and get Sep 15 14:21:06 oliven named[278]: client @0x7ade2126d000 128.39.46.118#54758 (_http._tcp.pkg.FreeBSD.org): query failed (timed out) for _http._tcp.pkg.FreeBSD.org/IN/SRV at query.c:6799 in the log at the corresponding time. It seems to me that a time-out should be re-set at 14:21:06.150953? This is with BIND 9.14.4. Does anyone else see similar behaviour for names in the FreeBSD.org zone? Best regards, - HÃ¥vard _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
