Problems resolving some domains

Thu Jan 4 21:13:42 UTC 2001

Hello All,

I am having a strange problem resolving some domains when receiving
email.  It seems to only happen only with a handful of domains, and I'm
not quite sure what's going on.  When someone sends mail to us, it comes
to our mail relay (mail.pvii.com) running sendmail with Sun's
DOMAIN(solaris-antispam).  Now I get an occasional refusals:

Jan  4 10:13:04 pvidns02 sendmail[25155]: [ID 801593 mail.notice]
KAA25155: ruleset=check_mail,
arg1=<bounce-return-ns-asdf at friendfinder.com>, relay=[209.185.12.44],
reject=451 <bounce-return-ns-asdf at friendfinder.com>... Sender domain
must resolve
Jan  3 13:10:27 pvidns02 sendmail[21694]: [ID 801593 mail.notice]
NAA21694: ruleset=check_mail, arg1=<user at cerner.com>,
relay=ns1.cerner.com [159.140.254.60], reject=451 <user at cerner.com>...
Sender domain must resolve
Jan  3 07:45:08 pvidns02 sendmail[20068]: [ID 801593 mail.notice]
HAA20068: ruleset=check_mail, arg1=<user at kcnet.com>,
relay=mail2.kcnet.com [216.90.72.3], reject=451 <user at kcnet.com>...
Sender domain must resolve
Jan  2 19:14:46 pvidns02 sendmail[18506]: [ID 801593 mail.notice]
TAA18506: ruleset=check_mail, arg1=<user at midusa.net>,
relay=mta01.alltel.net [166.102.165.143], reject=451
<user at midusa.net>... Sender domain must resolve

for the most part, those are the only domains that show to have problems
(Although kcnet.com seemed to only happen to that address; it looks like
other mail from kcnet.com goes through fine.)  I started by taking a
look at the senders...

midusa.net seems to have the NS information all messed up.  One of their
nameservers listed at the rootservers doesn't exist, and the other
returns a valid MX.  nslookup says it's non-authoritative.
cerner.com and friendfinder.com both look ok, but they also say
non-authoritative with nslookup.
kcnet.com looks ok, and always returns authoritative.  When I use
nslookup, I set norecurse and manually walk to each nameserver that is
supposed to be authoritative.  Isn't that the way the resolver works?

The midusa.net user sends mail frequently...  One time, I pinged
midusa.net, and then it started accepting the mail.  I am guessing that
my nameserver cached it, and when sendmail tried to verify the domain,
it worked for some reason.  But why wouldn't it find it on it's own?
Why are those servers returning an answer non-authoritative?  I don't
think it's a cache thing, because there are other domains I nslookup
that always respond authoritative.

The only option I have in my named.conf is directory.  It appears to be
loading without any warnings or errors.  I tried to get the hints file
again, but they cmp'ed OK.  Where do I go next to figure out what's
going on?

Thanks for your help,

Paul

-- Binary/unsupported file stripped by Listar --
-- Type: text/x-vcard
-- File: paul.kenyon.vcf
-- Desc: Card for Paul Kenyon