Problem resolving www.thebalconyondock.com

Unbound
1

Hi all,

I run two unbound resolvers at a university and using both 1.4.1 and revision 1989 of svn I cannot get www.thebalconyondock.com to resolve. It resolves fine in BIND. Doing an unbound-host -v www.thebalconyondock.com returns:

Host www.thebalconyondock.com not found: 2(SERVFAIL). (insecure)
Host www.thebalconyondock.com not found: 2(SERVFAIL). (insecure)
Host www.thebalconyondock.com not found: 2(SERVFAIL). (insecure)

If I crank up the verbosity in the log files I get at the end

Feb 22 18:02:29 unbound[10060:1] info: DelegationPoint<thebalconyondock.com.>: 2 names (0 missing), 2 addrs (2 result, 0 avail)
Feb 22 18:02:29 unbound[10060:1] info: ns100.whbdns.com. * A
Feb 22 18:02:29 unbound[10060:1] info: ns101.whbdns.com. * A
Feb 22 18:02:29 unbound[10060:1] debug: ip4 209.51.130.250 port 53 (len 16)
Feb 22 18:02:29 unbound[10060:1] debug: ip4 69.72.187.106 port 53 (len 16)
Feb 22 18:02:29 unbound[10060:1] debug: attempt to get extra 3 targets
Feb 22 18:02:29 unbound[10060:1] debug: servselect ip4 209.51.130.250 port 53 (len 16)
Feb 22 18:02:29 unbound[10060:1] debug: rtt=342 lost=0 LAME
Feb 22 18:02:29 unbound[10060:1] debug: servselect ip4 69.72.187.106 port 53 (len 16)
Feb 22 18:02:29 unbound[10060:1] debug: rtt=347 lost=0 LAME
Feb 22 18:02:29 unbound[10060:1] debug: out of query targets – returning SERVFAIL
Feb 22 18:02:29 unbound[10060:1] debug: store error response in message cache
Feb 22 18:02:29 unbound[10060:1] debug: return error response SERVFAIL
Feb 22 18:02:29 unbound[10060:1] debug: mesh_run: iterator module exit state is module_finished
Feb 22 18:02:29 unbound[10060:1] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
Feb 22 18:02:29 unbound[10060:1] info: validator operate: query <www.thebalconyondock.com. A IN>
Feb 22 18:02:29 unbound[10060:1] debug: validator: nextmodule returned
Feb 22 18:02:29 unbound[10060:1] debug: cannot validate non-answer, rcode SERVFAIL

I’ve read the lists about similar problems and sometimes it seems to be a bug in unbound and sometimes its a problem with the authoritative DNS servers. I can of course post any other relevant information that is needed to help resolve this. Thanks.

Warren Lilly

2

It's pretty broken:

[paul@bofh ~]$ dnscheck thebalconyondock.com
   0.000: thebalconyondock.com INFO Begin testing zone thebalconyondock.com with version 0.93_01.
   0.000: thebalconyondock.com INFO Begin testing delegation for thebalconyondock.com.
   1.405: thebalconyondock.com INFO Name servers listed at parent: ns1.ultrawhb.com,ns2.ultrawhb.com
   7.799: thebalconyondock.com ERROR No name servers found at child.
   7.799: thebalconyondock.com ERROR Superfluous name server listed at parent: ns1.ultrawhb.com
   7.799: thebalconyondock.com ERROR Superfluous name server listed at parent: ns2.ultrawhb.com
   7.799: thebalconyondock.com ERROR Too few name servers (0).
   7.799: thebalconyondock.com INFO Done testing delegation for thebalconyondock.com.
   7.799: thebalconyondock.com CRITICAL Fatal error in delegation for zone thebalconyondock.com.
   7.799: thebalconyondock.com INFO Test completed for zone thebalconyondock.com.

I am also getting a servfail on bind, so my guess is that you just happened to have it
cached there and if you restart that bind server, it will also fail.

Paul

3

I can confirm what Paul has discovered. It seems the glue records does
not match the NS records. I like to use the DNS Bajaj tool
(http://www.zonecut.net/dns/).

Parent: