Problems with Mail to erdoc.org
Kevin Darcy
kcd at daimlerchrysler.com
Thu Mar 11 17:48:56 UTC 2004
Barry Finkel wrote:
>I have a problem sending mail to a domain
>
> erdoc.org
>
>After lots of DNS queries, I think I have found the problem.
>The .org servers
>
> tld[12].ultradns.org
>
>list the nameservers for erdoc.org as
>
> dns[12].firehousehosting.net
>
>BUT the real nameservers for that domain are
>
> ns[12].firehousehosting.net (without the initial "d")
>
>What I can not understand is this - when I query
>
> dig erdoc.org MX
>
>sometimes I get SERVFAIL:
>
> -----
> atalanta% dig erdoc.org mx
>
> ; <<>> DiG 8.3 <<>> erdoc.org mx
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;; erdoc.org, type = MX, class = IN
>
> ;; Total query time: 2066 msec
> ;; FROM: atalanta.ctd.anl.gov to SERVER: default -- 146.137.64.5
> ;; WHEN: Wed Mar 10 21:06:27 2004
> ;; MSG SIZE sent: 27 rcvd: 27
>
>
> atalanta%
> -----
>
>and sometimes I get an answer:
>
> -----
> britaine% dig erdoc.org mx
>
> ; <<>> DiG 8.3 <<>> erdoc.org mx
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
> ;; QUERY SECTION:
> ;; erdoc.org, type = MX, class = IN
>
> ;; ANSWER SECTION:
> erdoc.org. 4H IN MX 0 erdoc.org.
>
> ;; AUTHORITY SECTION:
> erdoc.org. 4H IN NS ns2.firehousehosting.net.
> erdoc.org. 4H IN NS ns1.firehousehosting.net.
>
> ;; ADDITIONAL SECTION:
> erdoc.org. 4H IN A 66.246.3.132
>
> ;; Total query time: 5142 msec
> ;; FROM: britaine.ctd.anl.gov to SERVER: default -- 146.139.254.5
> ;; WHEN: Thu Mar 11 07:22:34 2004
> ;; MSG SIZE sent: 27 rcvd: 115
>
> britaine%
> -----
>
>I would have expected SERVFAIL each time. Can someone explain what
>is happening?
>
When the A records for ns[12].firehousehosting.net expire from the cache
before the zone NS records expire, then the caching resolver is put into
the chicken-and-egg situation of having NS records for the zone --
therefore knowing that it *should* be able to fetch the A records of
ns[12].firehousehosting.net from those nameservers -- but not knowing
the A records of the nameservers themselves. Then, if it goes up and
asks the parent for the glue, the parent doesn't know either, since it
only has glue records for dns[12].firehousehosting.net, not
ns[12].firehousehosting.net. Eventually the zone NS records expire from
cache, everything starts with a clean slate, the referral is followed,
the query is resolved, results are cached and the whole cycle starts
again...
>I sent mail to firehousehosting.net, and they said
>
> 1) No other people are complaining about undeliverable mail to
> erdoc.org.
>
Well, a SERVFAIL response from a nameserver is not -- and should not be
-- a fatal error to most mail servers. The mail should *eventually* get
through. And many (most?) peoples' mail systems are so fundamentally
crappy (or, these days, overloaded with spam) that they even wouldn't
notice the extra delivery delay.
> 2) They do not understand my request to change the glue record.
>
>Therefore, they will not do anything.
>
They don't understand "delegation NS records should always match or be a
superset of in-zone NS records"? That's pretty clueless of them.
- Kevin
More information about the bind-users
mailing list