Maintained by: NLnet Labs

[Unbound-users] SERVFAIL from Unbound whentrying to resolve a hostname

W.C.A. Wijngaards
Wed Dec 17 18:12:25 CET 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have tried here.  Sometimes it works.   Sometimes bind starts giving
me SERVFAIL too.

There is something very weird about that icscards.nl setup
a) the servers are RA (recursion available), they have deployed open
recursors instead of authority servers:

$ dig +norec @164.140.155.124 www.icscards.nl
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49267
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.icscards.nl.		IN	A

;; ANSWER SECTION:
www.icscards.nl.	60	IN	A	164.140.155.125


b) for qtype MX there is no response at all.
qtype NS works. - but gives a recursive answer : look at that TTL
counting down:
www.icscards.nl.	72679	IN	NS	nwp0px13.fortisbank.nl.
www.icscards.nl.	72679	IN	NS	nua0px13.fortisbank.nl.

www.icscards.nl.	72652	IN	NS	nua0px13.fortisbank.nl.
www.icscards.nl.	72652	IN	NS	nwp0px13.fortisbank.nl.

Note that the server is EDNS-incapable (gives FORMERR, which is fine).

c) if I try:
./unbound-host -v www.icscards.nl -t A -dddd

I see the result is:
www.icscards.nl has address 164.140.155.125 (insecure)

It classifies both servers as recursion lame (it detects that
misconfiguration) and then does a lookup.

This detection is a feature that arrived in version 1.1.0. Are you using
an older version of Unbound?  If so, an upgrade probably solves the
problem for you.

Best regards,
   Wouter

Marc Groeneweg wrote:
> Hi,
> 
> I have discovered something weird regarding a VISA card site in the Netherlands. On the query unbound-host -v www.icscards.nl unbound answers with:
> 
> Host www.icscards.nl not found: 2(SERVFAIL). (insecure)
> Host www.icscards.nl not found: 2(SERVFAIL). (insecure)
> Host www.icscards.nl not found: 2(SERVFAIL). (insecure)
> 
> What I've seen so far is this:
> Nameservers for icscards.nl are ns.nl.net and auth60.ns.nl.uu.net. They give authorative answer for this. When I question www.icscards.nl on them I get:
> 
> dig @ns.nl.net www.icscards.nl
> 
> ; <<>> DiG 9.3.5-P1 <<>> @ns.nl.net www.icscards.nl
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27351
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;www.icscards.nl.               IN      A
> 
> ;; AUTHORITY SECTION:
> www.icscards.nl.        86400   IN      NS      nua0px13.fortisbank.nl.
> www.icscards.nl.        86400   IN      NS      nwp0px13.fortisbank.nl.
> 
> And see, no aa bit set! It seems that www.icscards.nl is a subdomain, which are going to be resolved by two fortisbank nameservers.
> 
> And querying one of those:
> dig @nua0px13.fortisbank.nl www.icscards.nl a
> 
> ; <<>> DiG 9.3.5-P1 <<>> @nua0px13.fortisbank.nl www.icscards.nl a
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21375
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;www.icscards.nl.               IN      A
> 
> ;; ANSWER SECTION:
> www.icscards.nl.        60      IN      A       164.140.155.125
> 
> Also non-authorative answers. BIND does give an answer however, Unbound not.
> 
> Can someone explains me what's happening here? And why the differende between BIND resolving and Unbound?
> 
> Regards,
> 
> Marc Groeneweg

_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklJMvkACgkQkDLqNwOhpPiOXwCgh8Prna5P6RgYqH089nPxxCcs
ql0An0Iq1gcVprEjRUOvK25/on5LTrM1
=BWcO
-----END PGP SIGNATURE-----