Sorry did not spend too much time thinking about this but if you are checking DKIM should that be a TXT query instead of an A record?
John -----Original Message----- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Thomas Barth via bind-users Sent: Friday, May 31, 2024 12:14 PM To: bind-users@lists.isc.org Subject: Problem with a certain domain Hello, I use bind9 on my mail server so that Spamassassin can perform the necessary DNS blocklist queries. Since it has already happened several times that I have to restart bind9 so that a certain domain can still be resolved, I wanted to ask if anyone knows where I have to set something. A mail user regularly receives a newsletter from Spain. But the query to check the DKIM signature sometimes leads to a communication error, timeout and a write error. I am then informed of these errors by e-mail so that I can restart bind9 promptly. Because then it works smoothly again until this problem occurs again at some point. Domain of DKIM-request (duration when the problem occurs 4992 msec!) ############ dig s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es ;; communications error to 127.0.0.1#53: timed out ; <<>> DiG 9.18.24-1-Debian <<>> s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35945 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 69cb0f9615955ad7010000006659b7dd9477fff265ac63f6 (good) ;; QUESTION SECTION: ;s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. IN A ;; Query time: 4992 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Fri May 31 13:43:25 CEST 2024 ;; MSG SIZE rcvd: 107 ############ Then after restarting bind9 (1800 msec) ############ ; <<>> DiG 9.18.24-1-Debian <<>> s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33426 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 1ce3693ff4b0e24a010000006659b802511c16009f2773b0 (good) ;; QUESTION SECTION: ;s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. IN A ;; AUTHORITY SECTION: mallorcazeitung.es. 2560 IN SOA ns1.epi.es. hostmaster.mallorcazeitung.es. 1717151222 16384 2048 1048576 2560 ;; Query time: 1800 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Fri May 31 13:44:02 CEST 2024 ;; MSG SIZE rcvd: 182 ############ 1.8 seconds seems usual for this domain, no idea why, a query from the Bank of China is faster \o/ In the Postfix journal I can read: ############ May 30 13:40:50 mx1 postfix/smtpd[257112]: warning: timeout talking to proxy localhost:10024 May 30 13:40:50 mx1 postfix/smtpd[257112]: proxy-reject: END-OF-MESSAGE: 451 4.3.0 Error: queue file write error; ... ############ My settings in /etc/bind/named.conf.options (Debian 12.5) are: ############ acl goodclients { 127.0.0.0/8; localhost; }; options { directory "/var/cache/bind"; recursion yes; allow-query { goodclients; }; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. //forwarders { // 9.9.9.9; // 149.112.112.112; //}; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; listen-on { any; }; listen-on-v6 { none; }; }; ############ Any idea for improving the config? And this "after disabling qname minimization due to" thing seems to slow down the requests? ############ named[287800]: success resolving 's1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es/A' after disabling qname minimization due to 'ncache nxdomain' ############ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
