BIND / Sendmail and Bad Referrals

Mike Tancsa mike at sentex.net
Mon Jun 27 02:54:57 UTC 2005 

At 10:24 PM 26/06/2005, Mark Andrews wrote:

> > At 10:48 PM 24/06/2005, Mark Andrews wrote:
> >
> > >         link1.rona.ca is returning the wrong SOA record.   The zone
> > >         is merlin.rona.ca yet it is claiming that it is rona.ca.  Named
> > >         correctly detects this misconfiguration and marks the server
> > >         as lame.
> > >
> > >         Similarly for link2.
> > >
> > >         Mark
> > >
> > >; <<>> DiG 9.3.2prerelease <<>> AAAA merlin.rona.ca. +norec 
> @link1.rona.ca.
> > >; (1 server found)
> > >;; global options:  printcmd
> > >;; Got answer:
> > >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21126
> > >;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> > >
> > >;; QUESTION SECTION:
> > >;merlin.rona.ca.                        IN      AAAA
> > >
> > >;; AUTHORITY SECTION:
> > >rona.ca.                86400   IN      SOA     rona.ca.
> > >administrator.rona.ca. 998545544 28800 7200 604800 86400
> > >
> > >;; Query time: 259 msec
> > >;; SERVER: 207.61.124.213#53(207.61.124.213)
> > >;; WHEN: Sat Jun 25 12:44:58 2005
> > >;; MSG SIZE  rcvd: 106
> >
> >
> > There seems to be very different results using FreeBSD with INET6 and
> > without.  With INET6, sendmail complains as I mentioned in the opening
> > thread. However, with INET6 disabled in the kernel, mail flows fine to 
> this
> > site ?
> >
> >          ---Mike
>
>         Because it doesn't make the AAAA queries and hence doesn't see
>         that link1.rona.ca and link2.rona.ca are misconfigured.


But should not
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
workaround such issues in sendmail ? It appears its not working in this case.

BTW, thank your help on this.  I think I need to do some more research as 
to better understand the process of what exactly sendmail is asking.  I am 
trying to understand this well enough so I can explain to the customer with 
confidence why there is an issue with their configuration, and why it is a 
good idea for their DNS server not to be configured this way.

In terms of reproducing such a misconfiguration, how would one even do it ?

         ---Mike

More information about the bind-users mailing list