intermittent SERVFAIL with a DLV domain

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

intermittent SERVFAIL with a DLV domain

Tony Finch
I have a couple of recursive servers running 9.10.3-P2 which are
intermittently returning SERVFAIL responses for queries under
a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa. This domain is in dlv.isc.org; its
parent is unsigned but seems to be DNSSEC-aware - the servers set DO and
give the correct authority for DS nodata responses.

http://dnsviz.net/d/a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/dnssec/

One of my servers is currently in the broken state. named_dump.db has

; Bad cache
;
; a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/DS [ttl 429219]

The TTL here is misleading - unlike other TTLs it is in milliseconds, so
it is more reasonable than it appears to be.

Based on reading the code, I think there are two ways for entries to get
into the bad cache: either the nameservers have no addresses or there is a
problem with the trust chain. I think the following cache entries rule the
first one out:

; glue
ns0.ai270.NET.          26445   A       94.126.40.2
; glue
ns1.ai270.NET.          26445   A       213.133.150.9

In the second case the name server addresses get added to a bad list.
Ah, but I have turned off lame server logging so I don't have a copy of
the relevant log line; I shall change that.

Anyone have any more clues about what might be going wrong?

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Malin, Hebrides: South or southwest 7 to severe gale 9, occasionally storm 10
later. Very rough or high, occasionally very high later. Rain or showers.
Moderate, occasionally poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: intermittent SERVFAIL with a DLV domain

Tony Finch
Tony Finch <[hidden email]> wrote:

> I have a couple of recursive servers running 9.10.3-P2 which are
> intermittently returning SERVFAIL responses for queries under
> a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa. This domain is in dlv.isc.org; its
> parent is unsigned but seems to be DNSSEC-aware - the servers set DO and
> give the correct authority for DS nodata responses.
>
> http://dnsviz.net/d/a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/dnssec/

After turning on lame-servers logging I get the following which basically
confirms what I already worked out but doesn't really explain why the
validator thinks that a broken chain of trust is such a disaster.

Also, why is it trying to get address records for a reverse DNS name?

23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving 'a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/DS/IN': 94.126.40.2#53
23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/AAAA/IN': 2a01:8000:1ffa:f003:bc9d:1dff:fe9b:7466#53
23-Dec-2015 13:20:54.398 lame-servers: info: broken trust chain resolving '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/A/IN': 217.168.153.95#53

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Fair Isle, Southeast Faeroes: Southwesterly veering southerly for a time, 7 to
severe gale 9, increasing storm 10 or violent storm 11 later. Very rough or
high, becoming high or very high later. Rain or squally showers. Moderate or
good, occasionally poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Re: intermittent SERVFAIL with a DLV domain

Timothe Litt
On 23-Dec-15 08:34, Tony Finch wrote:
> Tony Finch <[hidden email]> wrote:
>
> Also, why is it trying to get address records for a reverse DNS name?

An ip6.arpa or in-addra.arpa zone is not restricted to PTR records.
There's nothing special about 'reverse zones'.

dnsviz uses some heuristics to guess what records are worth looking for.

A while ago I asked Casey to have DNSVIZ check for more than PTR+DNSSEC
records in reverse zones, which he did.
There's a panel in dnsviz where you can change what it looks for if you
want more (or less).

A/AAAA records are used in reverse zones by an obscure RFC (1101
encoding of subnet masks), and by others for similar purposes.

(It shouldn't be surprising that CNAME, TXT, RP, LOC and DNSSEC-related
records can be in reverse zones too.)

dnsviz launches its queries in parallel, so asking for a few extra
records doesn't hurt anyone.


> 23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving 'a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/DS/IN': 94.126.40.2#53
> 23-Dec-2015 13:20:54.328 lame-servers: info: broken trust chain resolving '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/AAAA/IN': 2a01:8000:1ffa:f003:bc9d:1dff:fe9b:7466#53
> 23-Dec-2015 13:20:54.398 lame-servers: info: broken trust chain resolving '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/A/IN': 217.168.153.95#53
>
> Tony.

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (6K) Download Attachment