Problem with a certain domain

Fri May 31 17:14:28 UTC 2024

Hello,

I use bind9 on my mail server so that Spamassassin can perform the 
necessary DNS blocklist queries. Since it has already happened several 
times that I have to restart bind9 so that a certain domain can still be 
resolved, I wanted to ask if anyone knows where I have to set something.

A mail user regularly receives a newsletter from Spain. But the query to 
check the DKIM signature sometimes leads to a communication error, 
timeout and a write error. I am then informed of these errors by e-mail 
so that I can restart bind9 promptly. Because then it works smoothly 
again until this problem occurs again at some point.

Domain of DKIM-request (duration when the problem occurs 4992 msec!)
############
dig s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es
;; communications error to 127.0.0.1#53: timed out

; <<>> DiG 9.18.24-1-Debian <<>> 
s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35945
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 69cb0f9615955ad7010000006659b7dd9477fff265ac63f6 (good)
;; QUESTION SECTION:
;s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. IN A

;; Query time: 4992 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri May 31 13:43:25 CEST 2024
;; MSG SIZE  rcvd: 107
############

Then after restarting bind9 (1800 msec)

############
; <<>> DiG 9.18.24-1-Debian <<>> 
s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33426
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1ce3693ff4b0e24a010000006659b802511c16009f2773b0 (good)
;; QUESTION SECTION:
;s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. IN A

;; AUTHORITY SECTION:
mallorcazeitung.es.	2560	IN	SOA	ns1.epi.es. 
hostmaster.mallorcazeitung.es. 1717151222 16384 2048 1048576 2560

;; Query time: 1800 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri May 31 13:44:02 CEST 2024
;; MSG SIZE  rcvd: 182
############

1.8 seconds seems usual for this domain, no idea why, a query from the 
Bank of China is faster \o/

In the Postfix journal I can read:

############
May 30 13:40:50 mx1 postfix/smtpd[257112]: warning: timeout talking to 
proxy localhost:10024
May 30 13:40:50 mx1 postfix/smtpd[257112]: proxy-reject: END-OF-MESSAGE: 
451 4.3.0 Error: queue file write error; ...
############

My settings in /etc/bind/named.conf.options (Debian 12.5) are:

############
acl goodclients {
	127.0.0.0/8;
	localhost;
};

options {
	directory "/var/cache/bind";

	recursion yes;
	allow-query { goodclients; };

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable
	// nameservers, you probably want to use them as forwarders.
	// Uncomment the following block, and insert the addresses replacing
	// the all-0's placeholder.

	//forwarders {
	//	9.9.9.9;
	//	149.112.112.112;
	//};

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See 
https://www.isc.org/bind-keys
	//========================================================================
	dnssec-validation auto;

	listen-on { any; };
	listen-on-v6 { none; };
};
############

Any idea for improving the config?

And this "after disabling qname minimization due to" thing seems to slow 
down the requests?
############
named[287800]: success resolving 
's1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es/A' after disabling 
qname minimization due to 'ncache nxdomain'
############