In response to a posting "Re: Two DNS Servers inside a firewall"
Mark Andrews wrote on September 5:

> Below is a example of such a bad delegation. The last SOA
> record should be owned by www.lawlink.nsw.gov.au not
> lawlink.nsw.gov.au. It results in SERVFAIL being returned.
>
> Mark
>
>
> ; <<>> DiG 9.3.4-P1 <<>> aaaa www.lawlink.nsw.gov.au
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56606
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.lawlink.nsw.gov.au. IN AAAA
>
> ;; Query time: 63 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Sep 5 12:01:30 2008
> ;; MSG SIZE rcvd: 40
>
> ; <<>> DiG 9.3.4-P1 <<>> www.lawlink.nsw.gov.au aaaa +trace
> ;; global options: printcmd
> . 440024 IN NS h.root-servers.net.
> . 440024 IN NS d.root-servers.net.
> . 440024 IN NS g.root-servers.net.
> . 440024 IN NS i.root-servers.net.
> . 440024 IN NS b.root-servers.net.
> . 440024 IN NS l.root-servers.net.
> . 440024 IN NS m.root-servers.net.
> . 440024 IN NS e.root-servers.net.
> . 440024 IN NS f.root-servers.net.
> . 440024 IN NS a.root-servers.net.
> . 440024 IN NS j.root-servers.net.
> . 440024 IN NS c.root-servers.net.
> . 440024 IN NS k.root-servers.net.
> ;; Received 504 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms
>
> au. 172800 IN NS ns1.audns.net.au.
> au. 172800 IN NS dns1.telstra.net.
> au. 172800 IN NS sec1.apnic.net.
> au. 172800 IN NS sec3.apnic.net.
> au. 172800 IN NS adns1.berkeley.edu.
> au. 172800 IN NS adns2.berkeley.edu.
> au. 172800 IN NS audns.optus.net.
> au. 172800 IN NS aunic.aunic.net.
> ;; Received 430 bytes from 2001:500:1::803f:235#53(h.root-servers.net) in 244 ms
>
> lawlink.nsw.gov.au. 3600 IN NS ns3.uecomm.net.au.
> lawlink.nsw.gov.au. 3600 IN NS ns1.uecomm.net.au.
> lawlink.nsw.gov.au. 3600 IN NS ns2.uecomm.net.au.
> ;; Received 105 bytes from 58.65.255.73#53(ns1.audns.net.au) in 42 ms
>
> www.lawlink.nsw.gov.au. 3600 IN NS ns1.lawlink.nsw.gov.au.
> www.lawlink.nsw.gov.au. 3600 IN NS ns2.lawlink.nsw.gov.au.
> ;; Received 108 bytes from 203.94.128.54#53(ns1.uecomm.net.au) in 39 ms
>
> lawlink.nsw.gov.au. 86400 IN SOA lawlink.nsw.gov.au. administrator.lawlink.nsw.gov.au. 998545544 28800 7200 604800 86400
> ;; Received 144 bytes from 203.3.186.53#53(ns1.lawlink.nsw.gov.au) in 32 ms



I have a user who cannot resolve

www.flickr.com

The name server I am querying is 9.5.0-P1 (to be updated to a patched
P2 tomorrow). When I query at one of the autoritative name servers,
I get:

oberon% dig www.flickr.com @ns1.yahoo.com.

; <<>> DiG 8.3 <<>> www.flickr.com @ns1.yahoo.com.
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
;; QUERY SECTION:
;; www.flickr.com, type = A, class = IN

;; ANSWER SECTION:
www.flickr.com. 5M IN CNAME www.flickr.vip.mud.yahoo.com.
www.flickr.vip.mud.yahoo.com. 15M IN A 68.142.214.24

;; AUTHORITY SECTION:
mud.yahoo.com. 2D IN NS ns1.yahoo.com.
mud.yahoo.com. 2D IN NS ns2.yahoo.com.
mud.yahoo.com. 2D IN NS ns3.yahoo.com.
mud.yahoo.com. 2D IN NS ns4.yahoo.com.
mud.yahoo.com. 2D IN NS ns5.yahoo.com.

;; ADDITIONAL SECTION:
ns1.yahoo.com. 2D IN A 66.218.71.63
ns2.yahoo.com. 2D IN A 68.142.255.16
ns3.yahoo.com. 2D IN A 217.12.4.104
ns4.yahoo.com. 2D IN A 68.142.196.63
ns5.yahoo.com. 30M IN A 119.160.247.124

;; Total query time: 64 msec
;; FROM: oberon.it.anl.gov to SERVER: ns1.yahoo.com. 66.218.71.63
;; WHEN: Tue Sep 9 13:25:03 2008
;; MSG SIZE sent: 32 rcvd: 257

oberon%

but a general query results in SERVFAIL:

oberon% dig www.flickr.com

; <<>> DiG 8.3 <<>> www.flickr.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; www.flickr.com, type = A, class = IN

;; Total query time: 9 msec
;; FROM: oberon.it.anl.gov to SERVER: default -- 146.139.254.5
;; WHEN: Tue Sep 9 13:22:46 2008
;; MSG SIZE sent: 32 rcvd: 32

oberon%

I notice that when I query one of the authoritative name servers I
get

;; ANSWER SECTION:
www.flickr.com. 5M IN CNAME www.flickr.vip.mud.yahoo.com.
www.flickr.vip.mud.yahoo.com. 15M IN A 68.142.214.24

;; AUTHORITY SECTION:
mud.yahoo.com. 2D IN NS ns1.yahoo.com.
mud.yahoo.com. 2D IN NS ns2.yahoo.com.
mud.yahoo.com. 2D IN NS ns3.yahoo.com.
mud.yahoo.com. 2D IN NS ns4.yahoo.com.
mud.yahoo.com. 2D IN NS ns5.yahoo.com.

Is the SERVFAIL because I queried

flickr.com

and the authority is

mud.yahoo.com ?

If not, then why am I getting SERVFAIL? Thanks.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel@anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994