> I use bind9 on my mail server so that Spamassassin can perform the > necessary DNS blocklist queries. Since it has already happened several > times that I have to restart bind9 so that a certain domain can still > be resolved, I wanted to ask if anyone knows where I have to set > something. > > A mail user regularly receives a newsletter from Spain. But the query > to check the DKIM signature sometimes leads to a communication error, > timeout and a write error. I am then informed of these errors by > e-mail so that I can restart bind9 promptly. Because then it works > smoothly again until this problem occurs again at some point. > > Domain of DKIM-request (duration when the problem occurs 4992 msec!) > ############ > dig s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es
My go-to DNS debugging site at https://dnsviz.net/d/s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es/dnssec/ appears to indicte there is more than one problem, but the most serious one is probably this one: It might look like one or more of the publishing name servers responds incorrectly when queried for an "empty non-terminal" name (e.g. _domainkey...), which probably itself doesn't have any data on that node, but has data on "names below". The correct response code is then NOERROR with answer count=0 (aka. "NODATA"), not NXDOMAIN. When a recursor gets NXDOMAIN back, it is free to assume that the queried-for name does not exist (which is obvious), and nothing exists below that node either. See RFC 8020. Regards, - HÃ¥vard -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users