broken ISP in china

Noel Butler noel.butler at ausics.net
Tue Feb 19 00:25:17 UTC 2013 

On Mon, 2013-02-18 at 16:07 -0600, Lyle Giese wrote:


> 
> Recently I moved this domain(lcrcomputer.net) to a registrar that
> suports DNSSEC and inserted the DS record for this domain.  I checked
> DNSSEC via  http://dnsviz.net and
> http://dnssec-debugger.verisignlabs.com.  Both show DNSSEC is working
> just fine for lcrcomputer.net.



dig +dnssec lcrcomputer.net ds

; <<>> DiG 9.9.2 <<>> +dnssec lcrcomputer.net ds
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1749
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

the AD flag says its all working good


> However, shortly after that one of my customers stopped receiving
> email from one of their clients in China.  They just brought that to
> my attention and I tried to email the client in China and got this
> back:
> 
> For <robin at xxxxx.com.cn>, Site (xxxxx.com.cn/<ipv4 address>) said: 559
> sorry , your helo/ehlo and domain in mail are invalid, you don't
> connect from there. (#5.5.9)
> 
> Because this started within 24 hours of when I published the DS record
> for lcrcomputer.net, I am assuming that this is related.
> 


Ensure your SPF records are kept up to date, and yes this is why, you'll
need to wait till the TTL cache expires on their end.
I see no problem with your SPF IP records though so long as you dont try
use ns1. Ignoring most of Vernons anti SPF rhetoric, which  BTW this
list is NOT the place for  (go cry a river on mailop list), he is
correct that you shouldn't really be using PTR, or A for that mater,
just have your ip4: and ip6: ranges, and perhaps "mx" and along with
"-all"  you'll be fine, I have no problems with SPF and lists and have
been using it since very early days, I note though your DKIM fails which
is typical of mailing lists.

One thing I need to point out, your SOA timings seem extreme...

refresh 86400  drop that to 3h
retry 3600, drop to 900 
expire 604800 change that to 4w
and negative cache value 86400 <gulp> drop that to no more than 3600,
maybe even just use 600.

Cheers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130219/87104e7d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130219/87104e7d/attachment.bin>

More information about the bind-users mailing list