[Yeti DNS Discuss] Strange SERVFAIL for some Yeti root nameservers' names

Wed Sep 16 16:14:41 UTC 2015

I have from time to time (it lasts a few hours and disappears)
SERVFAILs when resolving the name of some Yeti root name servers
(always the same, yeti.ipv6.ernet.in, yeti-ns.conit.co and sometimes
yeti.bofh.priv.at).

% dig AAAA yeti.ipv6.ernet.in

; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> AAAA yeti.ipv6.ernet.in
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35174
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;yeti.ipv6.ernet.in.	IN AAAA

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 16 17:12:05 CEST 2015
;; MSG SIZE  rcvd: 47

It seems a DNSSEC problem:

% dig +cd AAAA yeti.ipv6.ernet.in 

; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> +cd AAAA yeti.ipv6.ernet.in
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37785
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;yeti.ipv6.ernet.in.	IN AAAA

;; ANSWER SECTION:
yeti.ipv6.ernet.in.	485101 IN AAAA 2001:e30:1c1e:1::333

;; AUTHORITY SECTION:
yeti.ipv6.ernet.in.	485101 IN NS yeti.ipv6.ernet.in.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 16 17:12:07 CEST 2015
;; MSG SIZE  rcvd: 89

Which puzzles me since ernet.in is not signed: I should never have a
validation failure.

The resolver is a BIND 9.9.5.

% dig +trace AAAA yeti.ipv6.ernet.in 

; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> +trace AAAA yeti.ipv6.ernet.in
;; global options: +cmd
.			485093 IN NS yeti-dns01.dnsworkshop.org.
.			485093 IN NS ns-yeti.bondis.org.
.			485093 IN NS bii.dns-lab.net.
.			485093 IN NS yeti-ns.conit.co.
.			485093 IN NS yeti-ns.wide.ad.jp.
.			485093 IN NS yeti.bofh.priv.at.
.			485093 IN NS yeti-ns.tisf.net.
.			485093 IN NS yeti.ipv6.ernet.in.
.			485093 IN NS yeti-ns.as59715.net.
.			485093 IN NS dahu1.yeti.eu.org.
.			485093 IN NS yeti-ns.ix.ru.
.			518269 IN RRSIG	NS 8 0 518400 (
				20151016050004 20150916050004 17868 .
				HKxYGtwYqgoLGi20zp3ye/33aubbHtXgDgJ3T7YIGuek
				Kl+7GHiVSR0v8HozXmFOp1dPSH4Jf5fj7gbV0+M8sZRT
				bHCUqSWRa8arED/zlJVI8UkZ4oO+kFxqregcQR2l4c0a
				YC5vDKslaQXJeQckXCIKhrnAJq/0uBHLWQDml8k= )
;; Received 1193 bytes from 127.0.0.1#53(127.0.0.1) in 1575 ms

in.			172800 IN NS a0.in.afilias-nst.info.
in.			172800 IN NS a1.in.afilias-nst.in.
in.			172800 IN NS a2.in.afilias-nst.info.
in.			172800 IN NS b0.in.afilias-nst.org.
in.			172800 IN NS b1.in.afilias-nst.in.
in.			172800 IN NS b2.in.afilias-nst.org.
in.			172800 IN NS c0.in.afilias-nst.info.
in.			86400 IN DS 64788 7 1 (
				82E4E46622B646086C1051A6093DEB897BD1C022 )
in.			86400 IN DS 64788 7 2 (
				4021B67522D8935C8D8D7CE32900ACB382F55E3D1A8D
				E920233CBE70A13DA85B )
in.			86400 IN RRSIG DS 8 1 86400 (
				20151016044003 20150916044003 17868 .
				eeqZ7e/Pgg9b06VlFYgWgOBno+U/SwfjdUJWmO63rzpM
				cpg5fci1b274awTqKG/CZMj3uYMhhh/kygKbUQJaSeLe
				HZE1Apx1p2FyH7jKl5W0fE7jONdcTqc7YTMIIkZFyDTQ
				4wFxLc96Xbpe0D80wpvbh5UgzlBmubv5+tBStek= )
;; Received 769 bytes from 2a02:cdc5:9715:0:185:5:203:53#53(yeti-ns.as59715.net) in 2186 ms

ernet.in.		86400 IN NS e-iisc01.iisc.ernet.in.
ernet.in.		86400 IN NS e-iisc02.iisc.ernet.in.
ernet.in.		86400 IN NS e-eihq02.eis.ernet.in.
ernet.in.		86400 IN NS e-eihq01.eis.ernet.in.
ernet.in.		86400 IN NS dns.ernet.in.
9sf2fomuor72m596ccsodg86639e6odr.in. 86400 IN NSEC3 1 1 1 D399EAAB (
				9SFCID790T8QPNN1STLT52CNSUBN40M7
				NS SOA RRSIG DNSKEY NSEC3PARAM )
9sf2fomuor72m596ccsodg86639e6odr.in. 86400 IN RRSIG NSEC3 7 2 86400 (
				20151007151041 20150916141041 50102 in.
				LsnHCkLhD6zyGK8aQ0Yfx4b3zGSjVknoJmSpyxr8554E
				ghYgZfaCiVLSgMM6ujaUOfbe8rRfTVcjuOvzog6qWwbG
				e4Rt9TaJzbU6zg4Acfw8dbZyCxcOCnHRNKTrtuzmTpuT
				tKKu9g+/5xSfBQ+FrAIbWKe85TBiaqlDFdZzEjc= )
01u6fl75lqg3mr2vt16jlgnldcp2q43t.in. 86400 IN NSEC3 1 1 1 D399EAAB (
				0206Q04BA5SRJAKMPFH4RALJH23V8JGP
				A RRSIG )
01u6fl75lqg3mr2vt16jlgnldcp2q43t.in. 86400 IN RRSIG NSEC3 7 2 86400 (
				20150930180530 20150909170530 50102 in.
				A250s5V4Uor2W/aVUNumFHGSEhv2aKr9kPWBwhsAL31q
				4rvU5zRe4x7O7k7mbgJAHU3OH91uWFyRmpnDIPP2eAds
				kl87khgWrEVBXVNy69kRh+ZklJM4yzmlueCqOWTI8h6b
				LzpqRM5ZQ6Vqr8NdTV88nafIz51msSiC8E4vQxw= )
;; Received 737 bytes from 2001:500:50::1#53(b0.in.afilias-nst.org) in 2249 ms

ipv6.ernet.in.		86400 IN NS ns3.ipv6.ernet.in.
ipv6.ernet.in.		86400 IN NS ns4.ipv6.ernet.in.
ipv6.ernet.in.		86400 IN NS ns1.ipv6.ernet.in.
ipv6.ernet.in.		86400 IN NS ns2.ipv6.ernet.in.
;; Received 267 bytes from 202.141.1.132#53(e-iisc02.iisc.ernet.in) in 6720 ms

yeti.ipv6.ernet.in.	38400 IN AAAA 2001:e30:1c1e:1::333
ipv6.ernet.in.		38400 IN NS ns1.ipv6.ernet.in.
ipv6.ernet.in.		38400 IN NS ns3.ipv6.ernet.in.
ipv6.ernet.in.		38400 IN NS ns2.ipv6.ernet.in.
;; Received 261 bytes from 144.16.2.23#53(ns2.ipv6.ernet.in) in 200 ms