1

I've noticed that the cloudflare nameserver can't resolve certain DNS-names and replies with a SERVFAIL. However, when I run the dig command, I still get a reply. Why is that?

$ dig sdo.gsfc.nasa.gov @1.1.1.1

; <<>> DiG 9.11.4-4-Debian <<>> sdo.gsfc.nasa.gov @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2956
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;sdo.gsfc.nasa.gov.     IN  A

;; ANSWER SECTION:
sdo.gsfc.nasa.gov.  300 IN  CNAME   gs671-sdoweb.ndc.nasa.gov.
gs671-sdoweb.ndc.nasa.gov. 827  IN  A   129.164.137.36

;; Query time: 763 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Di Aug 28 10:56:15 CEST 2018
;; MSG SIZE  rcvd: 93
kernash
  • 27
  • 1

1 Answers1

4

Assuming that your paste has not been modified in any way (i.e. combining pastes from two different outputs by accident), what you've posted is not a behavior commonly seen in the wild. I was not able to reproduce the behavior at the time of this answer.

A SERVFAIL indicates an immediate failure in DNS resolution, and is usually accompanied by 0 answers. To provide an answer in this context would normally be a contradiction: if you were able to provide an answer, why would you would you flag the response as a server failure?

Unless this is an implementation of a new experimental RFC that I have not seen yet (I'll ping some vets in the comments), this is most likely to be a bug within the software itself. No one on Serverfault can provide technical assistance for a bug of this nature, so your best bet is to open up a ticket with Cloudflare and ask them to look into it.

Andrew B
  • 32,588
  • 12
  • 93
  • 131