Problem with a certain domain
Havard Eidnes
he at uninett.no
Fri May 31 17:34:40 UTC 2024
> I use bind9 on my mail server so that Spamassassin can perform the
> necessary DNS blocklist queries. Since it has already happened several
> times that I have to restart bind9 so that a certain domain can still
> be resolved, I wanted to ask if anyone knows where I have to set
> something.
>
> A mail user regularly receives a newsletter from Spain. But the query
> to check the DKIM signature sometimes leads to a communication error,
> timeout and a write error. I am then informed of these errors by
> e-mail so that I can restart bind9 promptly. Because then it works
> smoothly again until this problem occurs again at some point.
>
> Domain of DKIM-request (duration when the problem occurs 4992 msec!)
> ############
> dig s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es
My go-to DNS debugging site at
https://dnsviz.net/d/s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es/dnssec/
appears to indicte there is more than one problem, but the most
serious one is probably this one:
It might look like one or more of the publishing name servers responds
incorrectly when queried for an "empty non-terminal" name
(e.g. _domainkey...), which probably itself doesn't have any data on
that node, but has data on "names below". The correct response code
is then NOERROR with answer count=0 (aka. "NODATA"), not NXDOMAIN.
When a recursor gets NXDOMAIN back, it is free to assume that the
queried-for name does not exist (which is obvious), and nothing exists
below that node either. See RFC 8020.
Regards,
- Håvard
More information about the bind-users
mailing list