MX records not authoritative?

Velociraptor vraptorz at yahoo.com
Thu May 17 00:42:17 UTC 2001 

DNS wizards:
I have searched the archives of comp.mail.sendmail and
comp.protocols.dns.bind without success, and cannot
explain this phenomenon.

I recently upgraded to BIND 8.2.3 and Sendmail 8.11.3
(both compiled from open source) on my Solaris servers
which handle external DNS and mail relaying. Since
that time, we have experienced funky problems where
mail to certain domains hangs in the queue with the
error message "host map: lookup (problemdomain.com):
deferred".

I have implemented the fix for sendmail which is
described in the configuration README to use:
O ResolverOptions=WorkAroundBrokenAAAA
since there appeared to be issues with some servers
choking on the AAAA record request and timing out.
However, even after that fix was installed, I have
cases with 2-3 domains (that I know of) which can only
be contacted if I manually coddle them.

The symptom I get is that sometimes MX records will
not resolve for these domains. HOWEVER, the sites DO
HAVE both MX records, and A records for those MX
hosts. If I stop & restart my named and refresh its
cache, the MX record can be obtained from the
authoritative host. It will remain valid for a period
of time, and then it apparently drops out of the cache
and is NEVER requested again (until manually forced).
This appears to have something to do with broken DNS
at their end, but nothing we have been able to track
down. Any thoughts?

I am attaching DIG output which shows a SERVFAIL from
my server, which milliseconds later was followed by a
second request, which worked. Some assistance
interpreting the output & theorizing how to fix this
would be greatly appreciated.  Kate


; <<>> DiG 8.3 <<>> @0.0.0.0 smartt.com mx 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 0
;; QUERY SECTION:
;;      smartt.com, type = MX, class = IN

;; Total query time: 2 msec
;; FROM: mail01 to SERVER: x.x.x.x
;; WHEN: Wed May 16 16:31:10 2001
;; MSG SIZE  sent: 28  rcvd: 28

***** Note the SERVFAIL response. 
***** I issue an nslookup -type=mx which succeeds,
***** and then immediately do a dig again:

; <<>> DiG 8.3 <<>> @0.0.0.0 smartt.com mx 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2,
ADDITIONAL: 3
;; QUERY SECTION:
;;      smartt.com, type = MX, class = IN

;; ANSWER SECTION:
smartt.com.             1h40m18s IN MX  10
mail.smartt.com.

;; AUTHORITY SECTION:
smartt.com.             1d17h15m19s IN NS 
KTK1.smartt.com.
smartt.com.             1d17h15m19s IN NS 
KTK2.smartt.com.

;; ADDITIONAL SECTION:
mail.smartt.com.        1h57m52s IN A   209.52.5.253
KTK1.smartt.com.        1d17h15m19s IN A 
206.12.175.153
KTK2.smartt.com.        1d17h15m19s IN A  206.12.31.2

;; Total query time: 3 msec
;; FROM: mail01 to SERVER: x.x.x.x
;; WHEN: Wed May 16 16:32:05 2001
;; MSG SIZE  sent: 28  rcvd: 135

***** Checking the supposedly authoritative server 
***** IP address for the same information, and
***** I get this info - NOTE the missing 'aa' flag.

; <<>> DiG 8.3 <<>> @206.12.175.153 smartt.com mx 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
ADDITIONAL: 1
;; QUERY SECTION:
;;      smartt.com, type = MX, class = IN

;; ANSWER SECTION:
smartt.com.             3H IN MX        10
mail.smartt.com.

;; ADDITIONAL SECTION:
mail.smartt.com.        3H IN A         209.52.5.253

;; Total query time: 81 msec
;; FROM: mail01 to SERVER: 206.12.175.153
;; WHEN: Wed May 16 16:58:11 2001
;; MSG SIZE  sent: 28  rcvd: 65


*****  In fact, neither of the primary DNS servers
*****  listed in the record actually have aa data.
*****  They also don't have valid SOA records:

# dig @206.12.31.2 smartt.com soa

; <<>> DiG 8.3 <<>> @206.12.31.2 smartt.com soa 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
ADDITIONAL: 0
;; QUERY SECTION:
;;      smartt.com, type = SOA, class = IN

;; ANSWER SECTION:
smartt.com.             3H IN SOA      
ktk1.smartt.com. Postmaster.ktk1.smartt.com. (
                                        2001033001    
 ; serial
                                        1H            
 ; refresh
                                        10M           
 ; retry
                                        1D            
 ; expiry
                                        3H )          
 ; minimum


;; Total query time: 85 msec
;; FROM: mail01 to SERVER: 206.12.31.2
;; WHEN: Wed May 16 17:34:06 2001
;; MSG SIZE  sent: 28  rcvd: 80


*****  My question is, what is wrong with their DNS
and
*****  how can I describe this so the admin can fix it?

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

More information about the bind-users mailing list