Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- - Problem statement
- BIND9 resolver returns SERVFAIL if following all conditions are met:
- 1. BIND 9 resolver [1][2] in IPv4 only network environment [3].
- 2. Resolving a zone whose all NS’s are dual stack.
- 3. When all A RRSets of NS hosts expired, while AAAA not expired
- in resolver cache.
- BIND9 in IPv4-only network is very common. Also, expiration of all NS's A RRset
- can occur especially when A RRsets TTL are shorter than AAAA RRset TTL.
- [1] I confirmed this problem with 9.9.4-P2 and 9.8.6-P2
- [2] I confirmed this problem with FreeBSD 10.0 and CentOS 6.4
- [3] Only IPv4 address is assigned to network interface.
- (IPv6 link local addresses may be assigned)
- - How to repeat
- I've set up and published a zone (hdais.net) for you can repeat
- this problem easily; the zone’s NS are all dual stack, whose A RRset TTL is
- much smaller than AAAA RRset TTL.
- 1. Set up BIND9 resolver in IPv4 only network environment.
- 2. Launch resolver: "named -c /dev/null"
- 3. "dig @127.0.0.1 www.hdais.net" for some times.
- - Additional Information
- This problem can be avoided with these workarounds:
- * For resolver side, launch resolver with "named -4 -c /dev/null"
- * For authoritative server, configure one of NS hosts
- as single stack (A-RRset only host)
- Of course this problem doesn't occur if resolver is running
- in dual stack network environment.
- - Test log example
- # First query for www.hdais.net results proper answer.
- #
- freebsd10:~ % drill @127.0.0.1 www.hdais.net
- ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 42947
- ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
- ;; QUESTION SECTION:
- ;; www.hdais.net. IN A
- ;; ANSWER SECTION:
- www.hdais.net. 5 IN A 49.212.156.90
- ;; AUTHORITY SECTION:
- hdais.net. 86400 IN NS ns2.autosign.info.
- hdais.net. 86400 IN NS ns1.autosign.info.
- ;; ADDITIONAL SECTION:
- ns1.autosign.info. 10 IN A 27.120.111.185
- ns1.autosign.info. 86400 IN AAAA 2001:2e8:67a:0:2:1:0:39
- ns2.autosign.info. 10 IN A 49.212.156.90
- ns2.autosign.info. 86400 IN AAAA 2001:e41:31d4:9c5a::1
- ;; Query time: 0 msec
- ;; SERVER: 127.0.0.1
- ;; WHEN: Sun Jan 26 21:35:47 2014
- ;; MSG SIZE rcvd: 184
- # 10 seconds later, ns[12].autosign.info A RRSet expired.
- # Named starts to return SERVFAIL
- #
- freebsd10:~% drill @127.0.0.1 www.hdais.net
- ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 10738
- ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
- ;; QUESTION SECTION:
- ;; www.hdais.net. IN A
- <snip>
- # Further www.hdais.net queries also result SERVFAIL
- #
- freebsd10:~ % drill @127.0.0.1 www.hdais.net
- ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 2128
- ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
- ;; QUESTION SECTION:
- ;; www.hdais.net. IN A
- <snip>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement