bsfinkel@anl.gov wrote:
> In response to a posting "Re: Two DNS Servers inside a firewall"
> Mark Andrews wrote on September 5:
>
>
>> Below is a example of such a bad delegation. The last SOA
>> record should be owned by www.lawlink.nsw.gov.au not
>> lawlink.nsw.gov.au. It results in SERVFAIL being returned.
>>
>> Mark
>>
>>
>> ; <<>> DiG 9.3.4-P1 <<>> aaaa www.lawlink.nsw.gov.au
>> ;; global options: printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56606
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;www.lawlink.nsw.gov.au. IN AAAA
>>
>> ;; Query time: 63 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Fri Sep 5 12:01:30 2008
>> ;; MSG SIZE rcvd: 40
>>
>> ; <<>> DiG 9.3.4-P1 <<>> www.lawlink.nsw.gov.au aaaa +trace
>> ;; global options: printcmd
>> . 440024 IN NS h.root-servers.net.
>> . 440024 IN NS d.root-servers.net.
>> . 440024 IN NS g.root-servers.net.
>> . 440024 IN NS i.root-servers.net.
>> . 440024 IN NS b.root-servers.net.
>> . 440024 IN NS l.root-servers.net.
>> . 440024 IN NS m.root-servers.net.
>> . 440024 IN NS e.root-servers.net.
>> . 440024 IN NS f.root-servers.net.
>> . 440024 IN NS a.root-servers.net.
>> . 440024 IN NS j.root-servers.net.
>> . 440024 IN NS c.root-servers.net.
>> . 440024 IN NS k.root-servers.net.
>> ;; Received 504 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms
>>
>> au. 172800 IN NS ns1.audns.net.au.
>> au. 172800 IN NS dns1.telstra.net.
>> au. 172800 IN NS sec1.apnic.net.
>> au. 172800 IN NS sec3.apnic.net.
>> au. 172800 IN NS adns1.berkeley.edu.
>> au. 172800 IN NS adns2.berkeley.edu.
>> au. 172800 IN NS audns.optus.net.
>> au. 172800 IN NS aunic.aunic.net.
>> ;; Received 430 bytes from 2001:500:1::803f:235#53(h.root-servers.net) in 244 ms
>>
>> lawlink.nsw.gov.au. 3600 IN NS ns3.uecomm.net.au.
>> lawlink.nsw.gov.au. 3600 IN NS ns1.uecomm.net.au.
>> lawlink.nsw.gov.au. 3600 IN NS ns2.uecomm.net.au.
>> ;; Received 105 bytes from 58.65.255.73#53(ns1.audns.net.au) in 42 ms
>>
>> www.lawlink.nsw.gov.au. 3600 IN NS ns1.lawlink.nsw.gov.au.
>> www.lawlink.nsw.gov.au. 3600 IN NS ns2.lawlink.nsw.gov.au.
>> ;; Received 108 bytes from 203.94.128.54#53(ns1.uecomm.net.au) in 39 ms
>>
>> lawlink.nsw.gov.au. 86400 IN SOA lawlink.nsw.gov.au. administrator.lawlink.nsw.gov.au. 998545544 28800 7200 604800 86400
>> ;; Received 144 bytes from 203.3.186.53#53(ns1.lawlink.nsw.gov.au) in 32 ms
>>

>
>
> I have a user who cannot resolve
>
> www.flickr.com
>
> The name server I am querying is 9.5.0-P1 (to be updated to a patched
> P2 tomorrow). When I query at one of the autoritative name servers,
> I get:
>
> oberon% dig www.flickr.com @ns1.yahoo.com.
>
> ; <<>> DiG 8.3 <<>> www.flickr.com @ns1.yahoo.com.
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
> ;; QUERY SECTION:
> ;; www.flickr.com, type = A, class = IN
>
> ;; ANSWER SECTION:
> www.flickr.com. 5M IN CNAME www.flickr.vip.mud.yahoo.com.
> www.flickr.vip.mud.yahoo.com. 15M IN A 68.142.214.24
>
> ;; AUTHORITY SECTION:
> mud.yahoo.com. 2D IN NS ns1.yahoo.com.
> mud.yahoo.com. 2D IN NS ns2.yahoo.com.
> mud.yahoo.com. 2D IN NS ns3.yahoo.com.
> mud.yahoo.com. 2D IN NS ns4.yahoo.com.
> mud.yahoo.com. 2D IN NS ns5.yahoo.com.
>
> ;; ADDITIONAL SECTION:
> ns1.yahoo.com. 2D IN A 66.218.71.63
> ns2.yahoo.com. 2D IN A 68.142.255.16
> ns3.yahoo.com. 2D IN A 217.12.4.104
> ns4.yahoo.com. 2D IN A 68.142.196.63
> ns5.yahoo.com. 30M IN A 119.160.247.124
>
> ;; Total query time: 64 msec
> ;; FROM: oberon.it.anl.gov to SERVER: ns1.yahoo.com. 66.218.71.63
> ;; WHEN: Tue Sep 9 13:25:03 2008
> ;; MSG SIZE sent: 32 rcvd: 257
>
> oberon%
>
> but a general query results in SERVFAIL:
>
> oberon% dig www.flickr.com
>
> ; <<>> DiG 8.3 <<>> www.flickr.com
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;; www.flickr.com, type = A, class = IN
>
> ;; Total query time: 9 msec
> ;; FROM: oberon.it.anl.gov to SERVER: default -- 146.139.254.5
> ;; WHEN: Tue Sep 9 13:22:46 2008
> ;; MSG SIZE sent: 32 rcvd: 32
>
> oberon%
>
> I notice that when I query one of the authoritative name servers I
> get
>
> ;; ANSWER SECTION:
> www.flickr.com. 5M IN CNAME www.flickr.vip.mud.yahoo.com.
> www.flickr.vip.mud.yahoo.com. 15M IN A 68.142.214.24
>
> ;; AUTHORITY SECTION:
> mud.yahoo.com. 2D IN NS ns1.yahoo.com.
> mud.yahoo.com. 2D IN NS ns2.yahoo.com.
> mud.yahoo.com. 2D IN NS ns3.yahoo.com.
> mud.yahoo.com. 2D IN NS ns4.yahoo.com.
> mud.yahoo.com. 2D IN NS ns5.yahoo.com.
>
> Is the SERVFAIL because I queried
>
> flickr.com
>
> and the authority is
>
> mud.yahoo.com ?
>

No, that's perfectly normal. CNAMEs point to names in other domains all
the time. The only thing slightly unusual here is that the nameservers
for flickr.com also happen to be authoritative for the zone which
contains the target of the alias (www.flickr.vip.mud.yahoo.com) and are
therefore able to provide the A record without any further need for
referral-chasing. But that's _relatively_ normal too.
> If not, then why am I getting SERVFAIL? Thanks.
>

Does a dig +trace for www.flickr.com work?

If you have port and/or source-address restrictions in named.conf, make
sure you're using the same port and/or source-address for your test
queries. Otherwise it's not really a valid test.

If you're still getting SERVFAIL for your regular queries, but not for
your test queries, dump your cache and see if maybe you're trying to use
some bad/stale/obsolete cached glue/referral data in order to resolve
the name.


- Kevin