MX records not authoritative?

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Thu May 17 03:19:50 UTC 2001 

	Well the master is non-authoratative because the nameserver
	detected errors when the zone was loaded.  They should check
	their log files.

	You should also tell them that they are running nameservers
	with known security flaws.

	Mark

> 
> DNS wizards:
> I have searched the archives of comp.mail.sendmail and
> comp.protocols.dns.bind without success, and cannot
> explain this phenomenon.
> 
> I recently upgraded to BIND 8.2.3 and Sendmail 8.11.3
> (both compiled from open source) on my Solaris servers
> which handle external DNS and mail relaying. Since
> that time, we have experienced funky problems where
> mail to certain domains hangs in the queue with the
> error message "host map: lookup (problemdomain.com):
> deferred".
> 
> I have implemented the fix for sendmail which is
> described in the configuration README to use:
> O ResolverOptions=WorkAroundBrokenAAAA
> since there appeared to be issues with some servers
> choking on the AAAA record request and timing out.
> However, even after that fix was installed, I have
> cases with 2-3 domains (that I know of) which can only
> be contacted if I manually coddle them.
> 
> The symptom I get is that sometimes MX records will
> not resolve for these domains. HOWEVER, the sites DO
> HAVE both MX records, and A records for those MX
> hosts. If I stop & restart my named and refresh its
> cache, the MX record can be obtained from the
> authoritative host. It will remain valid for a period
> of time, and then it apparently drops out of the cache
> and is NEVER requested again (until manually forced).
> This appears to have something to do with broken DNS
> at their end, but nothing we have been able to track
> down. Any thoughts?
> 
> I am attaching DIG output which shows a SERVFAIL from
> my server, which milliseconds later was followed by a
> second request, which worked. Some assistance
> interpreting the output & theorizing how to fix this
> would be greatly appreciated.  Kate
> 
> 
> ; <<>> DiG 8.3 <<>> @0.0.0.0 smartt.com mx 
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      smartt.com, type = MX, class = IN
> 
> ;; Total query time: 2 msec
> ;; FROM: mail01 to SERVER: x.x.x.x
> ;; WHEN: Wed May 16 16:31:10 2001
> ;; MSG SIZE  sent: 28  rcvd: 28
> 
> ***** Note the SERVFAIL response. 
> ***** I issue an nslookup -type=mx which succeeds,
> ***** and then immediately do a dig again:
> 
> ; <<>> DiG 8.3 <<>> @0.0.0.0 smartt.com mx 
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2,
> ADDITIONAL: 3
> ;; QUERY SECTION:
> ;;      smartt.com, type = MX, class = IN
> 
> ;; ANSWER SECTION:
> smartt.com.             1h40m18s IN MX  10
> mail.smartt.com.
> 
> ;; AUTHORITY SECTION:
> smartt.com.             1d17h15m19s IN NS 
> KTK1.smartt.com.
> smartt.com.             1d17h15m19s IN NS 
> KTK2.smartt.com.
> 
> ;; ADDITIONAL SECTION:
> mail.smartt.com.        1h57m52s IN A   209.52.5.253
> KTK1.smartt.com.        1d17h15m19s IN A 
> 206.12.175.153
> KTK2.smartt.com.        1d17h15m19s IN A  206.12.31.2
> 
> ;; Total query time: 3 msec
> ;; FROM: mail01 to SERVER: x.x.x.x
> ;; WHEN: Wed May 16 16:32:05 2001
> ;; MSG SIZE  sent: 28  rcvd: 135
> 
> ***** Checking the supposedly authoritative server 
> ***** IP address for the same information, and
> ***** I get this info - NOTE the missing 'aa' flag.
> 
> ; <<>> DiG 8.3 <<>> @206.12.175.153 smartt.com mx 
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
> ADDITIONAL: 1
> ;; QUERY SECTION:
> ;;      smartt.com, type = MX, class = IN
> 
> ;; ANSWER SECTION:
> smartt.com.             3H IN MX        10
> mail.smartt.com.
> 
> ;; ADDITIONAL SECTION:
> mail.smartt.com.        3H IN A         209.52.5.253
> 
> ;; Total query time: 81 msec
> ;; FROM: mail01 to SERVER: 206.12.175.153
> ;; WHEN: Wed May 16 16:58:11 2001
> ;; MSG SIZE  sent: 28  rcvd: 65
> 
> 
> *****  In fact, neither of the primary DNS servers
> *****  listed in the record actually have aa data.
> *****  They also don't have valid SOA records:
> 
> # dig @206.12.31.2 smartt.com soa
> 
> ; <<>> DiG 8.3 <<>> @206.12.31.2 smartt.com soa 
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
> ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      smartt.com, type = SOA, class = IN
> 
> ;; ANSWER SECTION:
> smartt.com.             3H IN SOA      
> ktk1.smartt.com. Postmaster.ktk1.smartt.com. (
>                                         2001033001    
>  ; serial
>                                         1H            
>  ; refresh
>                                         10M           
>  ; retry
>                                         1D            
>  ; expiry
>                                         3H )          
>  ; minimum
> 
> 
> ;; Total query time: 85 msec
> ;; FROM: mail01 to SERVER: 206.12.31.2
> ;; WHEN: Wed May 16 17:34:06 2001
> ;; MSG SIZE  sent: 28  rcvd: 80
> 
> 
> *****  My question is, what is wrong with their DNS
> and
> *****  how can I describe this so the admin can fix it?
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Auctions - buy the things you want at great prices
> http://auctions.yahoo.com/
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list