BIND8's useless messages
Andris Kalnozols
andris at hpl.hp.com
Wed Jul 19 02:42:46 UTC 2000
> Andris Kalnozols <andris at hpl.hp.com> wrote:
>
> >Just as an FYI, here's a scenario where sendmail's resolution process
> >results in less-than-robust mail delivery:
>
> > 1. Sendmail uses a nameserver configured with the option
> > 'check-names response fail'.
>
> > 2. Mail is addressed to a domain with illegal data, typically a
> > a malformed RDATA field in the SOA RR such as
> > 'administrator.' or 'user\@domain'. As certain non-BIND
> > nameservers proliferate on the Internet, we're noticing
> > an increasing number of these :-(
>
> > 3. Sendmail initially issues a query of record-type ANY which
> > causes the retrieval of the bad SOA RR. Sendmail notices
> > the rejected query and (re-)queues the message. Delivery
> > ultimately fails if the the remote site's DNS is not fixed
> > before the queue timeout interval is reached.
>
> At present, I don't have a way of testing the above scenario. It
> looks unlikely. I have not seen evidence of this occuring.
Here's a live example of the above scenario running sendmail
version 8.9.3 and BIND 8.2.2-P5:
hplms26# sendmail -qRstudentambassadors.org -v
Running SAA22046 (sequence 1 of 1)
administrator at studentambassadors.org... studentambassadors.org:
Name server time out
administrator at studentambassadors.org... Transient parse error --
message queued for future delivery
Jul 18 10:48:00 hplms26 named[24978]: Malformed response from
[207.108.60.131].53 (out of data in final pass)
Jul 18 10:48:00 hplms26 named[24978]: mail name "administrator"
(owner "studentambassadors.org") IN (response from [207.108.60.131])
is invalid - rejecting
Note that BIND option "check-names response fail" is enabled.
The zone contents:
$ORIGIN studentambassadors.org.
@ 1H IN SOA com2.ambassadors.com. administrator. (
16 ; serial
15M ; refresh
10M ; retry
1D ; expiry
1H ) ; minimum
1H IN NS com2.ambassadors.com.
1H IN MX 10 pop3.ambassadors.com.
com2 1H IN A 207.108.60.131
pop3 1H IN A 207.108.60.131
www 1H IN A 207.108.60.134
After reconfiguring BIND to "check-names response warn", sendmail
is able to deliver the message:
hplms26# sendmail -qRstudentambassadors.org -v
Running SAA22046 (sequence 1 of 1)
administrator at studentambassadors.org...
Connecting to pop3.ambassadors.com. via esmtp...
220 ****************************************************
>>> EHLO hplms26.hpl.hp.com
500 Command not recognized.
>>> HELO hplms26.hpl.hp.com
250 OK
>>> MAIL From:<andris at hplms26.hpl.hp.com>
250 OK - mail from <andris at hplms26.hpl.hp.com>
>>> RCPT To:<administrator at studentambassadors.org>
250 OK - Recipient <administrator at studentambassadors.org>
>>> DATA
354 Send data. End with CRLF.CRLF
>>> .
250 OK
administrator at studentambassadors.org... Sent (OK)
Closing connection to pop3.ambassadors.com.
>>> QUIT
221 closing connection
According to the 8.10.0 Release Notes:
If a resolver ANY query is larger than the UDP packet size, the
resolver will fall back to TCP. However, some
misconfigured firewalls black 53/TCP so the ANY lookup
fails whereas an MX or A record might succeed. Therefore,
don't fail on ANY queries.
Is it reasonable to assume that this fix would also solve the problem
just demonstrated?
> Note that the initial query for ANY is only done for hostname
> canonification.
As I found out a bit too late, someone's previous post to this thread
implied that the "query for ANY" theme has seen its share of controversy
in sendmail-related discussions. ;-(
I have no axe to grind either way but was just repeating the opinion
of someone whose knowledge I respect.
Andy
More information about the bind-workers
mailing list