I have dns cache servers. I am using BIND 9.8.3-P1 or dnscache(djbdns cache). I see very often errors in my log "unexpected RCODE SERVFAIL". Both bind9 and dnscache have that problem. In tcpdump i see that they not even ask authoritative servers. With nslookup from the same machine i get correct answers from authoritative servers.
It seems my cache servers puts in their cache servfail answers and don't bother to ask again. I think that by RFC they shouldn't put SERVFAIL answers at all. Any ideas will be appreciated.
Best Answer
I think you're right about what's happening, but RFC 2308 is pretty clear in s7.1 that caching a SERVFAIL is allowed:
If you're running the DNS server, you can likely tune this behaviour, or even stop it altogether, so if the name server that's caching this stuff and annoying you is outside your control, run your own DNS server.