workaround for broken nameserver

Peter Dambier peter at peter-dambier.de
Fri Aug 4 21:03:20 UTC 2006 

Robert Haas wrote:
> I recently encountered a couple of nameservers which exhibit seriously 
> broken behavior with respect to IPv6.  As I understand it, a nameserver 
> which recieves an AAAA query for a domain which exists but which has no 
> AAAA record is supposed to return NOERROR and an empty result set.  These 
> particular servers return NXDOMAIN; from the research I did on Google, it 
> sounds like there are also some that return SERVFAIL.
> So the result of this problem is that I can't send email to this domain. 
> Sendmail tries an AAAA lookup; it fails, returning NXDOMAIN, and sendmail 
> - following every RFC that I can find - decides that an A query will be 
> fruitless and gives up.

I regret to addmit that was one of the reasons why I have disabled IPv6
on my machines.

>  After some research, I discovered that sendmail 
> has an option to ignore NXDOMAIN and SERVFAIL responses to AAAA queries 
> and try an A query anyway; this option was added to help work around 
> exactly this kind of broken nameserver.  So I tried enabling that option, 
> but it didn't fix the problem.
> 
> Why not?  Well, the resolver library on that machine is pointed at a 
> caching nameserver (bind 9.3.1) on the local machine.  Bind goes out, 
> tries the AAAA query, gets back NXDOMAIN, and returns NXDOMAIN to 
> sendmail.  Sendmail then tries an A query (because of the workaround 
> option), but bind says, ah ha, I don't need to recurse, I already know the 
> answer, because I got NXDOMAIN from my AAAA query.  This host doesn't 
> exist.  So it sends that answer back in response to the A query as well.

If you can get the zonefile for that domain - or if you can forge one.

Now you are an authoritative server for that domain (nasty), no need to
look up and cache :)

It is a bad kludge but it might work. That is what I did for some mailers
who lost their nameservers from time to time.

If there is none, first forge an MX record to a bogus name.
Next give that bogus name an A record.

> 
> This behavior on the part of bind is eminently sensible, but I still can't 
> send mail to that domain, whereas if either my MTA or my nameserver were 
> slightly stupider (and I'm guessing that most people's are, or the people 
> responsible for the domain would have fixed it) I would be able to do so. 
> So I'm looking for a workaround.  Any ideas?  I see that there is a 
> "bogus" option in the "server {}" stanza, but doesn't help me in this case 
> because ALL of the nameservers for that domain exhibit this problem 
> (otherwise I could declare the broken ones bogus and rely on the 
> remainder).  It seems like it might be helpful to have a "bogus-ipv6" or 
> "dont-cache-ipv6-failure" option that flags a nameserver as having this 
> problem, unless there is some other clean solution that I have missed.
> 
> Thanks in advance for any suggestions,
> 
> ...Robert
> 

Cheers
Peter and Karin

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/

More information about the bind-users mailing list