Slightly OT - MX RR Santity Check requested...

SM sm at
Thu Mar 29 05:45:27 UTC 2007

At 19:31 28-03-2007, Kevin P. Knox wrote:
>I'm starting to think that I'm just not explaining this well.  The strategy
>I'm trying to explain came straight out of the ORA book, "Building Internet

You explained it well.

>There are two MX RRs for the domain.  The most preferred is assigned to the
>heavily defended SMTP server.  The less preferred is assigned to the DMZ

You should only have reachable hosts in the MX.  I suggest removing 
the heavily defended SMTP server entry.

>Sending mail servers query the DNS and attempt a TCP/25 connection 
>to the most
>preferred MXer.  But this host is blocked by the firewall.  So they "should"
>choose the next preferred MX RR and try that server.  That server is the DMZ
>mail server.

They should but if they don't do that, you're in trouble.

>I didn't really mean for this to turn into a protracted discussion on DNS and
>SMTP.  I'm just trying to find out why a very few sending hosts don't ever
>query past the most preferred MX RRs for our domains.

Because the SMTP server may not be fully RFC-compliant or else it has 
a long delay when the MX is unreachable.

It is easy to fix your DNS RRs for the domain.


More information about the bind-users mailing list