workaround for broken nameserver
Peter Dambier
peter at peter-dambier.de
Fri Aug 4 21:03:20 UTC 2006
Robert Haas wrote:
> I recently encountered a couple of nameservers which exhibit seriously
> broken behavior with respect to IPv6. As I understand it, a nameserver
> which recieves an AAAA query for a domain which exists but which has no
> AAAA record is supposed to return NOERROR and an empty result set. These
> particular servers return NXDOMAIN; from the research I did on Google, it
> sounds like there are also some that return SERVFAIL.
> So the result of this problem is that I can't send email to this domain.
> Sendmail tries an AAAA lookup; it fails, returning NXDOMAIN, and sendmail
> - following every RFC that I can find - decides that an A query will be
> fruitless and gives up.
I regret to addmit that was one of the reasons why I have disabled IPv6
on my machines.
> After some research, I discovered that sendmail
> has an option to ignore NXDOMAIN and SERVFAIL responses to AAAA queries
> and try an A query anyway; this option was added to help work around
> exactly this kind of broken nameserver. So I tried enabling that option,
> but it didn't fix the problem.
>
> Why not? Well, the resolver library on that machine is pointed at a
> caching nameserver (bind 9.3.1) on the local machine. Bind goes out,
> tries the AAAA query, gets back NXDOMAIN, and returns NXDOMAIN to
> sendmail. Sendmail then tries an A query (because of the workaround
> option), but bind says, ah ha, I don't need to recurse, I already know the
> answer, because I got NXDOMAIN from my AAAA query. This host doesn't
> exist. So it sends that answer back in response to the A query as well.
If you can get the zonefile for that domain - or if you can forge one.
Now you are an authoritative server for that domain (nasty), no need to
look up and cache :)
It is a bad kludge but it might work. That is what I did for some mailers
who lost their nameservers from time to time.
If there is none, first forge an MX record to a bogus name.
Next give that bogus name an A record.
>
> This behavior on the part of bind is eminently sensible, but I still can't
> send mail to that domain, whereas if either my MTA or my nameserver were
> slightly stupider (and I'm guessing that most people's are, or the people
> responsible for the domain would have fixed it) I would be able to do so.
> So I'm looking for a workaround. Any ideas? I see that there is a
> "bogus" option in the "server {}" stanza, but doesn't help me in this case
> because ALL of the nameservers for that domain exhibit this problem
> (otherwise I could declare the broken ones bogus and rely on the
> remainder). It seems like it might be helpful to have a "bogus-ipv6" or
> "dont-cache-ipv6-failure" option that flags a nameserver as having this
> problem, unless there is some other clean solution that I have missed.
>
> Thanks in advance for any suggestions,
>
> ...Robert
>
Cheers
Peter and Karin
--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
More information about the bind-users
mailing list