[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-users
Subject: Re: servfail when refresh aws.amazon.com
From: Eric Yiu <eric.yiu () gmail ! com>
Date: 2011-06-23 2:06:34
Message-ID: BANLkTi=881XOgFTtL64wcOfTfoZBpLe8eg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
I tried to go debug level 2 on query-errors and
have the result:
23-Jun-2011 09:57:39.182 query-errors: debug 1: client 202.14.67.27#55079:
query failed (SERVFAIL) for aws.amazon.com/IN/A at query.c:4651
23-Jun-2011 09:57:39.182 query-errors: debug 2: fetch completed at
resolver.c:3103 for aws.amazon.com/A in 0.000073: out of memory/success
[domain:aws.amazon.com
,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
Is it because we limit the memory usage at named.conf?
max-cache-size 1610612736;
Eric
On Thu, Jun 23, 2011 at 5:25 AM, Kevin Darcy <kcd@chrysler.com> wrote:
> **
> On 6/22/2011 7:26 AM, Eric Yiu wrote:
>
> Hi,
>
> I am using bind9.7.3-P1 with solaris10x86. I notice that
> sometimes our bind server will reply servfail when querying
> a zone aws.amazon.com which is expiring, while this
> aws.amazon.com only 60sec cache lifetime, eg.
>
> > /usr/local/bin/dig a aws.amazon.com
>
> ; <<>> DiG 9.7.3-P1 <<>> a aws.amazon.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26307
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;aws.amazon.com. IN A
>
> ;; ANSWER SECTION:
> aws.amazon.com. 1 IN A 72.21.210.163
>
> ;; AUTHORITY SECTION:
> aws.amazon.com. 6517 IN NS ns-932.amazon.com.
> aws.amazon.com. 6517 IN NS ns-931.amazon.com.
> aws.amazon.com. 6517 IN NS ns-912.amazon.com.
> aws.amazon.com. 6517 IN NS ns-923.amazon.com.
> aws.amazon.com. 6517 IN NS ns-911.amazon.com.
> aws.amazon.com. 6517 IN NS ns-921.amazon.com.
>
> ;; ADDITIONAL SECTION:
> ns-911.amazon.com. 3108 IN A 207.171.178.13
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Jun 22 18:59:30 2011
> ;; MSG SIZE rcvd: 190
>
> > /usr/local/bin/dig a aws.amazon.com
>
> ; <<>> DiG 9.7.3-P1 <<>> a aws.amazon.com
> ;; global options: +cmd
> ;; Got answer:
> *;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20884
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0*
>
> ;; QUESTION SECTION:
> ;aws.amazon.com. IN A
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Jun 22 18:59:31 2011
> ;; MSG SIZE rcvd: 32
>
> > /usr/local/bin/dig a aws.amazon.com
> ^[[A
> ; <<>> DiG 9.7.3-P1 <<>> a aws.amazon.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47970
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;aws.amazon.com. IN A
>
> ;; ANSWER SECTION:
> aws.amazon.com. 60 IN A 72.21.210.163
>
> ;; AUTHORITY SECTION:
> aws.amazon.com. 6516 IN NS ns-932.amazon.com.
> aws.amazon.com. 6516 IN NS ns-911.amazon.com.
> aws.amazon.com. 6516 IN NS ns-912.amazon.com.
> aws.amazon.com. 6516 IN NS ns-931.amazon.com.
> aws.amazon.com. 6516 IN NS ns-921.amazon.com.
> aws.amazon.com. 6516 IN NS ns-923.amazon.com.
>
> ;; ADDITIONAL SECTION:
> ns-911.amazon.com. 3107 IN A 207.171.178.13
>
> ;; Query time: 229 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Jun 22 18:59:31 2011
> ;; MSG SIZE rcvd: 190
>
> I couldn't really see anything that would explain the SERVFAIL. Each of
> those "nameservers" appears to be a load-balancer of some sort. When queried
> individually for aws.amazon.com/A, they give a diversity of answers,
> implying that they are attempting some form of "DNS geolocation". None of
> them seem bothered by EDNS0 or DNSSEC stuff (most likely they're completely
> oblivious). When queried individually for aws.amazon.com/NS, all of them
> except for one return a single NS record with their own name in the RDATA.
> The only exception I saw was ns-912.amazon.com, which returned
> ns-945.amazon.com. But, I don't think that's the cause of the SERVFAIL,
> since ns-945.amazon.com answers authoritatively for the name, even though
> it's not one of the delegated nameservers for the zone.
>
> Time to look at logs, run named in debug mode and/or fire up a packet
> tracer and see what's really going on. Possibly something between you and
> the amazon.com nameservers is mangling or blocking packets.
>
>
>
> - Kevin
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
[Attachment #5 (text/html)]
<br>Hi,<br><br>I tried to go debug level 2 on query-errors and<br>have the \
result:<br><br>23-Jun-2011 09:57:39.182 query-errors: debug 1: client \
202.14.67.27#55079: query failed (SERVFAIL) for <a \
href="http://aws.amazon.com/IN/A">aws.amazon.com/IN/A</a> at query.c:4651<br> \
<br>23-Jun-2011 09:57:39.182 query-errors: debug 2: fetch completed at \
resolver.c:3103 for <a href="http://aws.amazon.com/A">aws.amazon.com/A</a> in \
0.000073: out of memory/success [domain:<a \
href="http://aws.amazon.com">aws.amazon.com</a>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]<br>
<br><br>Is it because we limit the memory usage at named.conf?<br><br>max-cache-size \
1610612736;<br><br>Eric<br><br><div class="gmail_quote">On Thu, Jun 23, 2011 at 5:25 \
AM, Kevin Darcy <span dir="ltr"><<a \
href="mailto:kcd@chrysler.com">kcd@chrysler.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, \
204, 204); padding-left: 1ex;"><u></u>
<div bgcolor="#ffffff" text="#000000"><div><div></div><div class="h5">
On 6/22/2011 7:26 AM, Eric Yiu wrote:
<blockquote type="cite">Hi,<br>
<br>
I am using bind9.7.3-P1 with solaris10x86. I notice that<br>
sometimes our bind server will reply servfail when querying<br>
a zone <a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>
which is expiring, while this<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>
only 60sec cache lifetime, eg.<br>
<br>
> /usr/local/bin/dig a <a href="http://aws.amazon.com" \
target="_blank">aws.amazon.com</a><br> <br>
; <<>> DiG 9.7.3-P1 <<>> a <a \
href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br> ;; global \
options: +cmd<br> ;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
26307<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL:
1<br>
<br>
;; QUESTION SECTION:<br>
;<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
IN A<br>
<br>
;; ANSWER SECTION:<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
1 IN A 72.21.210.163<br>
<br>
;; AUTHORITY SECTION:<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6517 IN NS <a href="http://ns-932.amazon.com" \
target="_blank">ns-932.amazon.com</a>.<br> <a href="http://aws.amazon.com" \
target="_blank">aws.amazon.com</a>.
6517 IN NS <a href="http://ns-931.amazon.com" \
target="_blank">ns-931.amazon.com</a>.<br> <a href="http://aws.amazon.com" \
target="_blank">aws.amazon.com</a>.
6517 IN NS <a href="http://ns-912.amazon.com" \
target="_blank">ns-912.amazon.com</a>.<br> <a href="http://aws.amazon.com" \
target="_blank">aws.amazon.com</a>.
6517 IN NS <a href="http://ns-923.amazon.com" \
target="_blank">ns-923.amazon.com</a>.<br> <a href="http://aws.amazon.com" \
target="_blank">aws.amazon.com</a>.
6517 IN NS <a href="http://ns-911.amazon.com" \
target="_blank">ns-911.amazon.com</a>.<br> <a href="http://aws.amazon.com" \
target="_blank">aws.amazon.com</a>.
6517 IN NS <a href="http://ns-921.amazon.com" \
target="_blank">ns-921.amazon.com</a>.<br> <br>
;; ADDITIONAL SECTION:<br>
<a href="http://ns-911.amazon.com" target="_blank">ns-911.amazon.com</a>.
3108 IN A 207.171.178.13<br>
<br>
;; Query time: 0 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Wed Jun 22 18:59:30 2011<br>
;; MSG SIZE rcvd: 190<br>
<br>
> /usr/local/bin/dig a <a href="http://aws.amazon.com" \
target="_blank">aws.amazon.com</a><br> <br>
; <<>> DiG 9.7.3-P1 <<>> a <a \
href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br> ;; global \
options: +cmd<br> ;; Got answer:<br>
<b>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL,
id: 20884<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 0</b><br>
<br>
;; QUESTION SECTION:<br>
;<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
IN A<br>
<br>
;; Query time: 0 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Wed Jun 22 18:59:31 2011<br>
;; MSG SIZE rcvd: 32<br>
<br>
> /usr/local/bin/dig a <a href="http://aws.amazon.com" \
target="_blank">aws.amazon.com</a><br> ^[[A<br>
; <<>> DiG 9.7.3-P1 <<>> a <a \
href="http://aws.amazon.com" target="_blank">aws.amazon.com</a><br> ;; global \
options: +cmd<br> ;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
47970<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL:
1<br>
<br>
;; QUESTION SECTION:<br>
;<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>. \
IN A<br>
<br>
;; ANSWER SECTION:<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
60 IN A 72.21.210.163<br>
<br>
;; AUTHORITY SECTION:<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6516 IN NS <a href="http://ns-932.amazon.com" \
target="_blank">ns-932.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6516 IN NS <a href="http://ns-911.amazon.com" \
target="_blank">ns-911.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6516 IN NS <a href="http://ns-912.amazon.com" \
target="_blank">ns-912.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6516 IN NS <a href="http://ns-931.amazon.com" \
target="_blank">ns-931.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6516 IN NS <a href="http://ns-921.amazon.com" \
target="_blank">ns-921.amazon.com</a>.<br>
<a href="http://aws.amazon.com" target="_blank">aws.amazon.com</a>.
6516 IN NS <a href="http://ns-923.amazon.com" \
target="_blank">ns-923.amazon.com</a>.<br> <br>
;; ADDITIONAL SECTION:<br>
<a href="http://ns-911.amazon.com" target="_blank">ns-911.amazon.com</a>.
3107 IN A 207.171.178.13<br>
<br>
;; Query time: 229 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Wed Jun 22 18:59:31 2011<br>
;; MSG SIZE rcvd: 190<br>
<br>
</blockquote></div></div>
I couldn't really see anything that would explain the SERVFAIL. Each
of those "nameservers" appears to be a load-balancer of some sort.
When queried individually for <a href="http://aws.amazon.com/A" \
target="_blank">aws.amazon.com/A</a>, they give a diversity of answers, implying \
that they are attempting some form of "DNS geolocation". None of them seem \
bothered by EDNS0 or DNSSEC stuff (most likely they're completely oblivious). \
When queried individually for <a href="http://aws.amazon.com/NS" \
target="_blank">aws.amazon.com/NS</a>, all of them except for one return a single NS \
record with their own name in the RDATA. The only exception I saw was <a \
href="http://ns-912.amazon.com" target="_blank">ns-912.amazon.com</a>, which returned \
<a href="http://ns-945.amazon.com" target="_blank">ns-945.amazon.com</a>. But, I \
don't think that's the cause of the SERVFAIL, since <a \
href="http://ns-945.amazon.com" target="_blank">ns-945.amazon.com</a> answers \
authoritatively for the name, even though it's not one of the delegated \
nameservers for the zone.<br>
<br>
Time to look at logs, run named in debug mode and/or fire up a
packet tracer and see what's really going on. Possibly something
between you and the <a href="http://amazon.com" target="_blank">amazon.com</a> \
nameservers is mangling or blocking packets.<br>
<br>
- Kevin<br>
<br>
</div>
<br>_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" \
target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe \
from this list<br> <br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" \
target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br></blockquote></div><br>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic