bind/sendmail resolving.. (NXDOMAIN)

David Miller dmiller at tiggee.com
Fri Sep 20 23:35:34 UTC 2013



On 9/20/2013 7:28 PM, Mark Andrews wrote:
> 
> In message <021501ceb653$ede37250$c9aa56f0$@leadmon.net>, "Howard Leadmon" writ
> es:
>>   This is probably easier than I am making it, but my googlefu seems to be
>> failing me at the moment when I look around.   I  handle a batch of FreeBSD
>> servers running sendmail, and I am having a site that is trying to deliver
>> mail being rejected, but they swear their DNS is right, so I am not sure if
>> we have an issue, or they do.
>>
>>  I am seeing sendmail rejects like this:
>>
>> Sep 20 14:45:59 mail3 mail3-smtp[15388]: r8JE8kQg099367:
>> to=<jmeteyard at panini.co.uk>, delay=1+04:37:10, xdelay=00:00:31,
>> mailer=esmtp, pri=5259883, relay=smtp2.panini.co.uk., dsn=4.0.0,
>> stat=Deferred: Name server: smtp2.panini.co.uk.: host name lookup failure
>>
>>
>>  If I take and run a host lookup, I get a response like this:
>>
>> $ host panini.co.uk             
>> panini.co.uk mail is handled by 10 smtp.panini.co.uk.
>> panini.co.uk mail is handled by 20 smtp2.panini.co.uk.
>>
>>
>> Now if I try that on any of the hosts that should accept the mail, I see:
>>
>> $ host smtp.panini.co.uk
>> smtp.panini.co.uk is an alias for smtp.panini.it.
>> smtp.panini.it has address 151.12.160.24
>> Host smtp.panini.it not found: 3(NXDOMAIN)
>>
>> $ host smtp2.panini.co.uk
>> smtp2.panini.co.uk is an alias for smtp2.panini.it.
>> smtp2.panini.it has address 151.12.160.30
>> Host smtp2.panini.it not found: 3(NXDOMAIN)
> 
> Firstly MX records are not supposed to point to CNAME records.  The
> MX records need to be updated.
> 
>>  So I get the IP address returned, but then an NXDOMAIN that follows.   I do
>> have the BrokenAAAA config option in my sendmail, so know it's not that, or
>> I don't think so.    Yet if I do a dig on the hosts, they seem to come back
>> with an IP address as expected, and shown above.
>>
>>  So if anyone can offer a clue on this, it would be appreciated..
> 
> Secondly and more importantly they have a misconfigured load balancer
> that is returning bad answers.  The last answer to "dig +trace
> smtp2.panini.it aaaa" should be "smtp2.panini.it. 86400 IN SOA
> paninirad1.panini.it. administrator.panini.it".
> 
> Note the SOA record needs to be from the zone delegated (smtp2.panini.it)
> to the load balancer.
> 
> They need to contact their load balancer vendor for proper instructions
> on how to configure it. 
> 
> Mark
> 
> % dig +trace smtp2.panini.it aaaa
> 
> ; <<>> DiG 9.10.0a1 <<>> +trace smtp2.panini.it aaaa
> ;; global options: +cmd
> .			518400	IN	NS	f.root-servers.net.
> .			518400	IN	NS	c.root-servers.net.
> .			518400	IN	NS	k.root-servers.net.
> .			518400	IN	NS	d.root-servers.net.
> .			518400	IN	NS	l.root-servers.net.
> .			518400	IN	NS	i.root-servers.net.
> .			518400	IN	NS	h.root-servers.net.
> .			518400	IN	NS	b.root-servers.net.
> .			518400	IN	NS	e.root-servers.net.
> .			518400	IN	NS	m.root-servers.net.
> .			518400	IN	NS	g.root-servers.net.
> .			518400	IN	NS	a.root-servers.net.
> .			518400	IN	NS	j.root-servers.net.
> .			518400	IN	RRSIG	NS 8 0 518400 20130927000000 20130919230000 49656 . U9k2KFpbNYnY4EfyKzla26XbharLoAQtkQG02oq3aHVnM3OlLp6lmBdT wgMDcShAQJxIk50krHlIuoyOGHHuJ56P6ubFiGBRU0V4OOt2/V8emJZx U6MRMDwDyTweZbfNZiiK20T5RVlUK/PLI3YbbcYxxtSCKzV2fThLxi3F /x4=
> ;; Received 397 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms
> 
> it.			172800	IN	NS	a.dns.it.
> it.			172800	IN	NS	c.dns.it.
> it.			172800	IN	NS	m.dns.it.
> it.			172800	IN	NS	r.dns.it.
> it.			172800	IN	NS	dns.nic.it.
> it.			172800	IN	NS	nameserver.cnr.it.
> it.			86400	IN	NSEC	je. NS RRSIG NSEC
> it.			86400	IN	RRSIG	NSEC 8 1 86400 20130927000000 20130919230000 49656 . A01ecU1p6o7U4le9Jh8F2aQ4fl9XdPFMcERxLf2cZ6aiHkKsZdQsHiwN eI/5VnC9N1sLgF9p8uD7H8adMjC/EFHDK/kXmbpJNps9Hi/VdYa846He tu4iYxmQpaq0SgIpCqsRSRk0TjnL0l0B/VZueZREvpEQND6Zjjys7Zow ZvE=
> ;; Received 610 bytes from 128.63.2.53#53(h.root-servers.net) in 352 ms
> 
> panini.it.		10800	IN	NS	dns1.quadrante.com.
> panini.it.		10800	IN	NS	dns2.quadrante.com.
> ;; Received 108 bytes from 2001:678:4::16#53(c.dns.it) in 200 ms
> 
> smtp2.panini.it.	3600	IN	NS	paninirad3.panini.it.
> smtp2.panini.it.	3600	IN	NS	paninirad2.panini.it.
> smtp2.panini.it.	3600	IN	NS	paninirad1.panini.it.
> ;; Received 167 bytes from 83.103.76.83#53(dns2.quadrante.com) in 410 ms
> 
> panini.it.		86400	IN	SOA	panini.it. administrator.panini.it. 998545544 28800 7200 604800 86400
> ^^^^^^^^^^ is WRONG!!!!!!!!!!!
> ;; Received 110 bytes from 83.216.164.178#53(paninirad3.panini.it) in 341 ms

Their load balancer doesn't return any NS records for the domain
smtp2.panini.it either:

$ dig ns smtp2.panini.it. @paninirad1.panini.it.

; <<>> DiG 9.9.2 <<>> ns smtp2.panini.it. @paninirad1.panini.it.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36438
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;smtp2.panini.it.               IN      NS

;; Query time: 125 msec
;; SERVER: 151.12.160.50#53(151.12.160.50)
;; WHEN: Fri Sep 20 23:32:46 2013
;; MSG SIZE  rcvd: 33

-DMM

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130920/d41c5355/attachment.bin>


More information about the bind-users mailing list