Anyway, removed (servfail.balug.org.) for at least now. It had been getting a bit too regularly annoying. E.g.: # ~/bin/Named-checkconf zone balug.org/IN: servfail.balug.org/NS 'servfail.balug.org' has no REQUIRED GLUE address records (A or AAAA) # echo $? 1 #
Maybe some other time some other way ... but not for now.
From: "Michael Paoli" Michael.Paoli@cal.berkeley.edu Subject: test DNS that returns SERVFAIL? ... ! :-) Date: Mon, 13 Apr 2020 03:14:35 -0700
test DNS that returns SERVFAIL? ... ! :-)
For when one may want a target DNS domain to test against that will generally return SERVFAIL ... I didn't super easily find one out there, so ... (at least for now) created one. ... on the master (IPs for the MNAME in SOA are on this host) $ hostname balug-sf-lug-v2.balug.org $ dig +noall +answer +multiline balug.org. SOA | awk '{if(NR==1)print $5;}' ns0.balug.org. $ dig +short ns0.balug.org. A ns0.balug.org. AAAA 96.86.170.229 2001:470:1f05:19e::2 $ ip a s | egrep 'inet.*(96.86.170.229|2001:470:1f05:19e::2)' inet 96.86.170.229/29 brd 96.86.170.231 scope global eth0 inet6 2001:470:1f05:19e::2/64 scope global $ So, add RR: # nsupdate -l << . update add servfail.balug.org. 300 IN NS servfail.balug.org. send .
# Ah yes, I'm quite starting to get used to and like/prefer dynamic DNS update. Significantly more goof-resistant, and most of the time I don't even have to think about the zone serial number. Which reminds me, I do still want to add some version "control" (tracking) ... driven via cron, so I'll at least have periodic snapshots of changes (since no longer using ye olde manual method & manual version control). For more recent changes, and fine-grained history of changes, logs cover that quite well. But for the longer historical record ... wee bit 'o gap presently to fill on that. Automation is generally a good thing. :-)
And with no other (explicit - some DNSSEC automagic bits may be added but we'll ignore those presently) RRs for that domain. So, we then typically get, e.g.: $ dig +noall +answer +comments servfail.balug.org. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26642 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $
Note that not all flavors of query against servfail.balug.org. will return SERVFAIL:
$ dig +noall +norecurse +answer +authority +comments @ns0.balug.org. servfail.balug.org. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20976 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; AUTHORITY SECTION: servfail.balug.org. 300 IN NS servfail.balug.org.
$
But in general, trying to do a recursive query on the domain for most RR types, will give SERVFAIL. (Useful for testing, ...)