Maintained by: NLnet Labs

[Unbound-users] SERVFAIL and CNAME

W.C.A. Wijngaards
Fri Aug 19 19:40:07 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 08/19/2011 04:53 PM, Robert Fleischman wrote:
> I have been having trouble resolving "www.balfour.com"
> 
> It appears that ns1.worldnic.com and ns2.worldnic.com (the NS for
> www.balfour.com") is returning a CNAME response (pointing off to an
> amazon'd name) with the SERVFAIL bit set in the header. It also
> (according to dig) sometimes spits back a truncated response requiring
> a TCP retry.

So it returns SERVFAIL.  The content of the message is junk.  unbound
ignores the contents of the message.

> This combination of things makes unbound a bit upset.  I've seen
> discussions of this here:

Well, its not upset, it is simply not resolving the name.  But that is
the issue here, of course.

> http://mailman.powerdns.com/pipermail/pdns-dev/2010-October/000886.html
> 
> (My guess is that worldnic.com is running PowerDNS)

Yes, I hope that patch fixes authority-server-powerdns so it does not
emit errors when it should not.  It looks a bit bland to me - like
emitting noerror when there could be errors, but I am not the powerdns
code expert.

> In practice, sometimes unbound returns the A record, sometimes not!
> It appears other recursive servers are much more permissive here.

I guess the +TC tcp fallback actually works.  Other cases have an error
set, and are thus ignored.

> ---
> 
> Is there a way to make Unbound "happier" about this name and semi-broken setup?

Not return error codes when you mean to return a CNAME?  You could email
the owners of the site (SOA hostmaster should be a good email to start).

local-data: "www.balfour.com A <IP>" in your config to provide an
override for this name to the correct IP address?

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOTp/3AAoJEJ9vHC1+BF+NNK8P/0JW3ZrOnjxOF1eYLUWi3tGd
iy5qNuB1yeyqMqzUtpx0bMb2uXEBqFpxwVWqHoxXEy9bOeOMT38e7wd2hI8mex+2
n4mmNwF1sEm/ieNdCVOiUZ3lQj+cpOL+0y4SmUoNsql36NtOK00DNso+S1/dyQPr
tIToxgKOVKzSgBGSEQ85itO8fYynLL0gVdEJu3aaq3hnJZ4BbKqHqDSFhHaKlPa5
CfEfVqMrWLcnxNAWynjaGZrbe2U+VthMFsJli7Ht+JsigieEjOeOZG8Xp+DKRtfL
qzrVMA4cennxDgi6xA1QwbSE5FVqqBD/rcJdV7Ypj4SyVY51LXREUpPxainTxms1
Geinlx/ahC7Mi2JJt8aPIS/Egvkm1uaHD3ATjqxAxtgHqunO8nQOm9/g+hF9IVr0
uCQRARwd2LlcysNcCGQ+a0mglCF6+w+i2kLto7iO4Makq0K9a0ziQS19QqIJvWsW
65MQXA3aprlzYd3xOiFaHx/CGglap0nbAuloEG4rGz7DwezEmCSHRXr7EN52sxzl
li33z3JP8HWjDJ/k/vVt68Lk1p8d4nMBySDMOeGFv8P/1RWbetlJHqeybhCfiTIa
d848Y5Qlri5repr3Jx4v5DpupM/xFaJBOV0nsWMAfTx8YL9ro+Ace5YpCoyjHF5b
cJE2MMAi7OuDUQJ7s4rL
=diQF
-----END PGP SIGNATURE-----