T_ANY

[Glenn English]

I posted this to the postfix users list:

One of my users had problems receiving from Yahoo a couple days ago. The sender (in FLA) got this:

>> From: "MAILER-DAEMON at yahoo.com" <MAILER-DAEMON at yahoo.com>
>> To: xxxxx at yahoo.com
>> Sent: Sun, March 7, 2010 5:51:09 PM
>> Subject: failure notice
>> 
>> Hi. This is the qmail-send program at yahoo.com.
>> I'm afraid I wasn't able to deliver your message to the following addresses.
>> This is a permanent error; I've given up. Sorry it didn't work out.
>> 
>> <xxxxx at slsware.com>:
>> CNAME lookup failed temporarily. (#4.4.3)
>> I'm not going to try again; this message has been in the queue too long.

I got responses saying that the problem was that my DNS ignores 

'dig @ns1.slsware.com -t any slsware.com' (or 'dig +trace -t any slsware.com')

and indeed it does, from outside. From inside it's fine, and '-t MX' works from anywhere. Yahoo's MTA (qmail) does T_ANY lookups, so it thinks there's nobody home at my nameserver. But I can't get anybody over on the postfix list to suggest what might be wrong. I spent the morning with google, and couldn't find anything that looked like it might be the answer.

The obvious answer is firewalling, but I don't think that's it. A query from inside goes through the same PIX firewall as would a query from outside; the pix is configured "no fixup protocol dns"; I don't think IOS in the router knows anything about what type of DNS query is coming in; and the same query to the other nameserver ('dig @ns1.richeyrentals.com -t any slsware.com') also fails. That one's also behind a PIX, but has a non-IOS router.

Both servers are Debian lenny, 'named -v' says BIND 9.5.1-P3, and bind's config check says it's OK. But it has nothing to do with any of that, I think, because the query works from inside.

Any ideas?
 
-- 
Glenn English
ghe at slsware.com