[BALUG-Talk] test DNS that returns SERVFAIL? ... ! :-)

Michael Paoli Michael.Paoli@cal.berkeley.edu
Sun Apr 19 02:58:35 UTC 2020 

Anyway, removed (servfail.balug.org.) for at least now.
It had been getting a bit too regularly annoying.
E.g.:
# ~/bin/Named-checkconf
zone balug.org/IN: servfail.balug.org/NS 'servfail.balug.org' has no  
REQUIRED GLUE address records (A or AAAA)
# echo $?
1
#

Maybe some other time some other way ... but not for now.

> From: "Michael Paoli" <Michael.Paoli@cal.berkeley.edu>
> Subject: test DNS that returns SERVFAIL? ... ! :-)
> Date: Mon, 13 Apr 2020 03:14:35 -0700

> test DNS that returns SERVFAIL? ... ! :-)
>
> For when one may want a target DNS domain to test against that will
> generally return SERVFAIL ... I didn't super easily find one out there,
> so ... (at least for now) created one.
> ... on the master (IPs for the MNAME in SOA are on this host)
> $ hostname
> balug-sf-lug-v2.balug.org
> $ dig +noall +answer +multiline balug.org. SOA | awk '{if(NR==1)print $5;}'
> ns0.balug.org.
> $ dig +short ns0.balug.org. A ns0.balug.org. AAAA
> 96.86.170.229
> 2001:470:1f05:19e::2
> $ ip a s | egrep 'inet.*(96\.86\.170\.229|2001:470:1f05:19e::2)'
>     inet 96.86.170.229/29 brd 96.86.170.231 scope global eth0
>     inet6 2001:470:1f05:19e::2/64 scope global
> $
> So, add RR:
> # nsupdate -l << \.
> update add servfail.balug.org. 300 IN NS servfail.balug.org.
> send
> .
>
> #
> Ah yes, I'm quite starting to get used to and like/prefer dynamic DNS
> update.  Significantly more goof-resistant, and most of the time I don't
> even have to think about the zone serial number.  Which reminds me,
> I do still want to add some version "control" (tracking) ... driven via
> cron, so I'll at least have periodic snapshots of changes (since no
> longer using ye olde manual method & manual version control).  For
> more recent changes, and fine-grained history of changes, logs cover
> that quite well.  But for the longer historical record ... wee bit 'o
> gap presently to fill on that.
> Automation is generally a good thing.  :-)
>
> And with no other (explicit - some DNSSEC automagic bits may be added
> but we'll ignore those presently) RRs for that domain.
> So, we then typically get, e.g.:
> $ dig +noall +answer +comments servfail.balug.org.
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26642
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> $
>
> Note that not all flavors of query against servfail.balug.org. will
> return SERVFAIL:
>
> $ dig +noall +norecurse +answer +authority +comments @ns0.balug.org.  
> servfail.balug.org.
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20976
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; AUTHORITY SECTION:
> servfail.balug.org.     300     IN      NS      servfail.balug.org.
>
> $
>
> But in general, trying to do a recursive query on the domain for most RR
> types, will give SERVFAIL.  (Useful for testing, ...)

More information about the BALUG-Talk mailing list