[Unbound-users] SERVFAIL from Unbound whentrying to resolve a hostname
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Wed Dec 17 17:12:25 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I have tried here. Sometimes it works. Sometimes bind starts giving
me SERVFAIL too.
There is something very weird about that icscards.nl setup
a) the servers are RA (recursion available), they have deployed open
recursors instead of authority servers:
$ dig +norec @164.140.155.124 www.icscards.nl
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49267
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.icscards.nl. IN A
;; ANSWER SECTION:
www.icscards.nl. 60 IN A 164.140.155.125
b) for qtype MX there is no response at all.
qtype NS works. - but gives a recursive answer : look at that TTL
counting down:
www.icscards.nl. 72679 IN NS nwp0px13.fortisbank.nl.
www.icscards.nl. 72679 IN NS nua0px13.fortisbank.nl.
www.icscards.nl. 72652 IN NS nua0px13.fortisbank.nl.
www.icscards.nl. 72652 IN NS nwp0px13.fortisbank.nl.
Note that the server is EDNS-incapable (gives FORMERR, which is fine).
c) if I try:
./unbound-host -v www.icscards.nl -t A -dddd
I see the result is:
www.icscards.nl has address 164.140.155.125 (insecure)
It classifies both servers as recursion lame (it detects that
misconfiguration) and then does a lookup.
This detection is a feature that arrived in version 1.1.0. Are you using
an older version of Unbound? If so, an upgrade probably solves the
problem for you.
Best regards,
Wouter
Marc Groeneweg wrote:
> Hi,
>
> I have discovered something weird regarding a VISA card site in the Netherlands. On the query unbound-host -v www.icscards.nl unbound answers with:
>
> Host www.icscards.nl not found: 2(SERVFAIL). (insecure)
> Host www.icscards.nl not found: 2(SERVFAIL). (insecure)
> Host www.icscards.nl not found: 2(SERVFAIL). (insecure)
>
> What I've seen so far is this:
> Nameservers for icscards.nl are ns.nl.net and auth60.ns.nl.uu.net. They give authorative answer for this. When I question www.icscards.nl on them I get:
>
> dig @ns.nl.net www.icscards.nl
>
> ; <<>> DiG 9.3.5-P1 <<>> @ns.nl.net www.icscards.nl
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27351
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.icscards.nl. IN A
>
> ;; AUTHORITY SECTION:
> www.icscards.nl. 86400 IN NS nua0px13.fortisbank.nl.
> www.icscards.nl. 86400 IN NS nwp0px13.fortisbank.nl.
>
> And see, no aa bit set! It seems that www.icscards.nl is a subdomain, which are going to be resolved by two fortisbank nameservers.
>
> And querying one of those:
> dig @nua0px13.fortisbank.nl www.icscards.nl a
>
> ; <<>> DiG 9.3.5-P1 <<>> @nua0px13.fortisbank.nl www.icscards.nl a
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21375
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.icscards.nl. IN A
>
> ;; ANSWER SECTION:
> www.icscards.nl. 60 IN A 164.140.155.125
>
> Also non-authorative answers. BIND does give an answer however, Unbound not.
>
> Can someone explains me what's happening here? And why the differende between BIND resolving and Unbound?
>
> Regards,
>
> Marc Groeneweg
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklJMvkACgkQkDLqNwOhpPiOXwCgh8Prna5P6RgYqH089nPxxCcs
ql0An0Iq1gcVprEjRUOvK25/on5LTrM1
=BWcO
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list