Re: Weird DNS issues for domains
Crist Clark [EMAIL PROTECTED] wrote: [...] The problem I've seen is when an SMTP server does not accept emails which have non-resolvable MAIL FROM domain. When the sender is a dumb SMTP client, not an MTA, this can cause problems. Well, that dumb SMTP client should stop pretending to be a MTA then. If it can't queue and retry, it shouldn't even *think* about looking for MX records. Besides, what sort of dumb SMTP client did you have in mind? Formmail scripts? Worms? Outlook Express? I can't say I'd miss mail from any of those. (I noticed this happen to a high traffic customer who had both of their DNS servers in the same /24 located in Slidell, LA. Needless to say, they were down for more than a few hours when Katrina rolled through.) Having reachable DNS isn't going to help anyway if the MX host is also unreachable for an extended period. Mail is still going to bounce after a few days if somebody doesn't fiddle with DNS. -- 'Twas a woman who drove me to drink, and I never had the courtesy to thank her for it. - W.C. Fields
Re: Weird DNS issues for domains
Besides, what sort of dumb SMTP client did you have in mind? Formmail scripts? Worms? Outlook Express? I can't say I'd miss mail from any of those. Pot, kettle... Yours seem to have come via a train wreck of mua/mta's From [EMAIL PROTECTED] Fri Sep 30 08:42:11 2005 Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Path: not-for-mail From: [EMAIL PROTECTED] (Peter) Newsgroups: newsgate.nanog Date: Fri, 30 Sep 2005 07:41:26 + (UTC) Organization: cabal.org.uk listgate, Warwickshire, UK Lines: 27 NNTP-Posting-Host: dopiaza.cabal.org.uk X-Trace: dopiaza.cabal.org.uk 1128066086 12308 82.71.81.27 (30 Sep 2005 07:41:26 GMT) X-Complaints-To: [EMAIL PROTECTED] NNTP-Posting-Date: Fri, 30 Sep 2005 07:41:26 + (UTC) X-Newsreader: trn 4.0-test76 (Apr 2, 2001) Originator: [EMAIL PROTECTED] (Peter) X-SA-Exim-Connect-IP: 82.71.81.26 X-SA-Exim-Mail-From: [EMAIL PROTECTED] X-Spam-Hammy-Tokens: 0.000-+--H*F:U*abuse, 0.000-+--HX-Complaints-To:sk:usenet@, 0.000-+--H*M:cabal, 0.000-+--H*M:dopiaza, 0.000-+--H*r:news X-Spam-Bayes-Score: 0. X-Spam-Spammy-Tokens: 0.994-8--formmail, 0.993-+--MAIL, 0.954-+--H*r:sk:punt-1., 0.938-+--H*Ad:D*org.uk, 0.927-+--H*Ad:D*uk X-Spam-Score-Description: * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO * -1.3 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.] * -0.7 AWL AWL: From: address is in the auto white-list Subject: Re: Weird DNS issues for domains X-SA-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100) X-SA-Exim-Scanned: Yes (on punt-1.mooli.org.uk) X-Virus-Scanned: amavisd-new at merit.edu Sender: [EMAIL PROTECTED] spam and virus rating on outgoing is pointless nobody in their right mind is going to use them. Path: not-for-mail I agree, all that nntp stuff is pointless too brandon
Re: Weird DNS issues for domains
On Friday 30 Sep 2005 9:37 am, Brandon Butterworth wrote: spam and virus rating on outgoing is pointless nobody in their right mind is going to use them. Whilst I think it is silly to do. Why not drop emails that claim to be viruses or spam? Of course why anyone would allow their servers to send such is another question. It would be silly to believe things that said I'm not spam, but the opposite doesn't necessary apply.
Re: Weird DNS issues for domains
Peter wrote: Crist Clark [EMAIL PROTECTED] wrote: [...] The problem I've seen is when an SMTP server does not accept emails which have non-resolvable MAIL FROM domain. When the sender is a dumb SMTP client, not an MTA, this can cause problems. Well, that dumb SMTP client should stop pretending to be a MTA then. If it can't queue and retry, it shouldn't even *think* about looking for MX records. Sorry, I guess I was not clear. The dumb client is not pretending to be an MTA. The dumb client is sending to its smart host. The MTA, the smart server for the dumb clients, does a reality check on the envelope sender. (This is not unusual.) A dumb client tries to send, MAIL FROM:[EMAIL PROTECTED] Via the MTA, but the MTA rejects this because it cannot resolve the domain. Now even if our MTA does the right thing and rejects with a 4xx error, a dumb client may not be equipped to handle this well. Besides, what sort of dumb SMTP client did you have in mind? Formmail scripts? Worms? Outlook Express? I can't say I'd miss mail from any of those. Well, the reality check on the sender domain is meant to stop a lot of traffic from some of those sources, so I won't miss that either. However, due to the nature of our business, we have lots of people with very, uh, interesting SMTP clients. I know of a few who have integrated PPP/IP/TCP/SMTP stacks for custom hardware, i.e. they wrote network code for a device with less CPU and RAM horsepower than your modern wrist watch to only send email. They tend not to handle exceptional conditions well (and sometimes have cool features like the sender address is hardcoded, hardcoded in NVRAM, or hardcode the IP address of the smart host which is fun when we move those or bring one down for maintenance). (I noticed this happen to a high traffic customer who had both of their DNS servers in the same /24 located in Slidell, LA. Needless to say, they were down for more than a few hours when Katrina rolled through.) Having reachable DNS isn't going to help anyway if the MX host is also unreachable for an extended period. Mail is still going to bounce after a few days if somebody doesn't fiddle with DNS. But even if the destination MTA is reachable, the mail was not going through since the MAIL FROM domain was unresolvable. The mail would have been delivered promptly had the sender's DNS been available. The sender's MX MTA never enters into the picture. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Weird DNS issues for domains
I'm hoping someone on the list can help confirm that I'm not going insane. I have a customer with the domain 'mtrsd.k12.ma.us' The domain should be handled by our DNS servers (dns-auth1.crocker.com dns- auth2.crocker.com) The customer has an A record for www.mtrsd.k12.ma.us pointing to their web server The customer has subdomains for each school in the district which have www records pointing to their web server via CNAME Everything looks like it is configured properly on my servers but the customer is reporting that certain parents (VerizonDSL, Comcast, DirectWAY) can connect to certain website and not others. At this point I think the problem is with the DNS servers at their ISP. Can someone confirm my sanity? My zone of control starts at mtrsd.k12.ma.us I do not have control over k12.ma.us What do you all see for sanderson.mtrsd.k12.ma.us www.sanderson.mtrsd.k12.ma.us. ; DiG 9.2.2 @204.97.12.2 mtrsd.k12.ma.us NS ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 522 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mtrsd.k12.ma.us. IN NS ;; ANSWER SECTION: mtrsd.k12.ma.us.258796 IN NS dns-auth2.crocker.com. mtrsd.k12.ma.us.258796 IN NS dns-auth1.crocker.com. ;; Query time: 39 msec ;; SERVER: 204.97.12.2#53(204.97.12.2) ;; WHEN: Thu Sep 29 09:29:28 2005 ;; MSG SIZE rcvd: 92 ; DiG 9.2.2 @204.97.12.2 sanderson.mtrsd.k12.ma.us NS ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 15880 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;sanderson.mtrsd.k12.ma.us. IN NS ;; ANSWER SECTION: sanderson.mtrsd.k12.ma.us. 259200 INNS dns-auth2.crocker.com. sanderson.mtrsd.k12.ma.us. 259200 INNS dns-auth1.crocker.com. ;; Query time: 2 msec ;; SERVER: 204.97.12.2#53(204.97.12.2) ;; WHEN: Thu Sep 29 09:31:15 2005 ;; MSG SIZE rcvd: 102 ; DiG 9.2.2 @204.97.12.2 www.sanderson.mtrsd.k12.ma.us A ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 52155 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.sanderson.mtrsd.k12.ma.us. IN A ;; ANSWER SECTION: www.sanderson.mtrsd.k12.ma.us. 86400 IN CNAME www.mtrsd.k12.ma.us. www.mtrsd.k12.ma.us.51 IN A 159.250.29.161 ;; Query time: 48 msec ;; SERVER: 204.97.12.2#53(204.97.12.2) ;; WHEN: Thu Sep 29 09:31:52 2005 ;; MSG SIZE rcvd: 81 -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: Weird DNS issues for domains
On 9/29/05, Matthew Crocker [EMAIL PROTECTED] wrote: I'm hoping someone on the list can help confirm that I'm not going insane. How can you be sure it's not the other way around? You're sane and everyone else is insane? :) Can someone confirm my sanity? My zone of control starts at mtrsd.k12.ma.us I do not have control over k12.ma.us What do you all see for sanderson.mtrsd.k12.ma.us www.sanderson.mtrsd.k12.ma.us. [EMAIL PROTECTED] ~]$ dig mtrsd.k12.ma.us ns ; DiG 9.2.4 mtrsd.k12.ma.us ns ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 23100 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mtrsd.k12.ma.us. IN NS ;; ANSWER SECTION: mtrsd.k12.ma.us.86120 IN NS dns-auth2.crocker.com. mtrsd.k12.ma.us.86120 IN NS dns-auth1.crocker.com. ;; Query time: 3 msec ;; SERVER: 204.10.167.4#53(204.10.167.4) ;; WHEN: Thu Sep 29 10:38:50 2005 ;; MSG SIZE rcvd: 92 [EMAIL PROTECTED] ~]$ dig sanderson.mtrsd.k12.ma.us ns ; DiG 9.2.4 sanderson.mtrsd.k12.ma.us ns ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 28515 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;sanderson.mtrsd.k12.ma.us. IN NS ;; ANSWER SECTION: sanderson.mtrsd.k12.ma.us. 259200 INNS dns-auth2.crocker.com. sanderson.mtrsd.k12.ma.us. 259200 INNS dns-auth1.crocker.com. ;; Query time: 33 msec ;; SERVER: 204.10.167.4#53(204.10.167.4) ;; WHEN: Thu Sep 29 10:39:27 2005 ;; MSG SIZE rcvd: 102 [EMAIL PROTECTED] ~]$ dig www.sanderson.mtrsd.k12.ma.us a ; DiG 9.2.4 www.sanderson.mtrsd.k12.ma.us a ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 28640 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.sanderson.mtrsd.k12.ma.us. IN A ;; ANSWER SECTION: www.sanderson.mtrsd.k12.ma.us. 86400 IN CNAME www.mtrsd.k12.ma.us. www.mtrsd.k12.ma.us.600 IN A 159.250.29.161 ;; Query time: 64 msec ;; SERVER: 204.10.167.4#53(204.10.167.4) ;; WHEN: Thu Sep 29 10:39:33 2005 ;; MSG SIZE rcvd: 81 -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Weird DNS issues for domains
Matthew Crocker [EMAIL PROTECTED] writes: Everything looks like it is configured properly on my servers but the customer is reporting that certain parents (VerizonDSL, Comcast, DirectWAY) can connect to certain website and not others. At this point I think the problem is with the DNS servers at their ISP. Can someone confirm my sanity? My zone of control starts at mtrsd.k12.ma.us I do not have control over k12.ma.us I just tested it from a Verizon DSL host and it worked. You might want to consider reading RFC 2182 though, particularly the part about geographically diverse nameservers. Cheers, ---Rob
off-list Re: Weird DNS issues for domains
At 9:33 -0400 9/29/05, Matthew Crocker wrote: What do you all see for sanderson.mtrsd.k12.ma.us www.sanderson.mtrsd.k12.ma.us. For your entertainment, I'm a cox.net customer in No Va... $ dig +trace sanderson.mtrsd.k12.ma.us ns ; DiG 9.3.1 +trace sanderson.mtrsd.k12.ma.us ns ;; global options: printcmd . 495670 IN NS L.ROOT-SERVERS.NET. . 495670 IN NS M.ROOT-SERVERS.NET. . 495670 IN NS A.ROOT-SERVERS.NET. . 495670 IN NS B.ROOT-SERVERS.NET. . 495670 IN NS C.ROOT-SERVERS.NET. . 495670 IN NS D.ROOT-SERVERS.NET. . 495670 IN NS E.ROOT-SERVERS.NET. . 495670 IN NS F.ROOT-SERVERS.NET. . 495670 IN NS G.ROOT-SERVERS.NET. . 495670 IN NS H.ROOT-SERVERS.NET. . 495670 IN NS I.ROOT-SERVERS.NET. . 495670 IN NS J.ROOT-SERVERS.NET. . 495670 IN NS K.ROOT-SERVERS.NET. ;; Received 436 bytes from 68.100.16.25#53(68.100.16.25) in 34 ms us. 172800 IN NS A.GTLD.BIZ. us. 172800 IN NS B.GTLD.BIZ. us. 172800 IN NS C.GTLD.BIZ. ;; Received 147 bytes from 198.32.64.12#53(L.ROOT-SERVERS.NET) in 129 ms k12.ma.us. 900 IN NS NS2.PIR.NET. k12.ma.us. 900 IN NS NS2.XCOM.NET. k12.ma.us. 900 IN NS LNS0.MA.WORLDNAMES.NET. k12.ma.us. 900 IN NS SIDEHACK.GWEEP.NET. k12.ma.us. 900 IN NS NS.WPI.EDU. k12.ma.us. 900 IN NS NS.AMARANTH.NET. ;; Received 203 bytes from 209.173.53.162#53(A.GTLD.BIZ) in 33 ms mtrsd.k12.ma.us.86400 IN NS dns-auth1.crocker.com. mtrsd.k12.ma.us.86400 IN NS dns-auth2.crocker.com. ;; Received 102 bytes from 130.64.1.31#53(NS2.PIR.NET) in 39 ms sanderson.mtrsd.k12.ma.us. 604800 INNS dns-auth2.crocker.com. sanderson.mtrsd.k12.ma.us. 604800 INNS dns-auth1.crocker.com. ;; Received 134 bytes from 204.97.12.58#53(dns-auth1.crocker.com) in 30 ms $ dig +trace www.sanderson.mtrsd.k12.ma.us. a ; DiG 9.3.1 +trace www.sanderson.mtrsd.k12.ma.us. a ;; global options: printcmd . 495646 IN NS D.ROOT-SERVERS.NET. . 495646 IN NS E.ROOT-SERVERS.NET. . 495646 IN NS F.ROOT-SERVERS.NET. . 495646 IN NS G.ROOT-SERVERS.NET. . 495646 IN NS H.ROOT-SERVERS.NET. . 495646 IN NS I.ROOT-SERVERS.NET. . 495646 IN NS J.ROOT-SERVERS.NET. . 495646 IN NS K.ROOT-SERVERS.NET. . 495646 IN NS L.ROOT-SERVERS.NET. . 495646 IN NS M.ROOT-SERVERS.NET. . 495646 IN NS A.ROOT-SERVERS.NET. . 495646 IN NS B.ROOT-SERVERS.NET. . 495646 IN NS C.ROOT-SERVERS.NET. ;; Received 436 bytes from 68.100.16.25#53(68.100.16.25) in 27 ms us. 172800 IN NS A.GTLD.BIZ. us. 172800 IN NS B.GTLD.BIZ. us. 172800 IN NS C.GTLD.BIZ. ;; Received 151 bytes from 128.8.10.90#53(D.ROOT-SERVERS.NET) in 24 ms k12.ma.us. 900 IN NS NS.WPI.EDU. k12.ma.us. 900 IN NS NS.AMARANTH.NET. k12.ma.us. 900 IN NS NS2.PIR.NET. k12.ma.us. 900 IN NS NS2.XCOM.NET. k12.ma.us. 900 IN NS LNS0.MA.WORLDNAMES.NET. k12.ma.us. 900 IN NS SIDEHACK.GWEEP.NET. ;; Received 207 bytes from 209.173.53.162#53(A.GTLD.BIZ) in 32 ms mtrsd.k12.ma.us.86400 IN NS dns-auth2.crocker.com. mtrsd.k12.ma.us.86400 IN NS dns-auth1.crocker.com. ;; Received 106 bytes from 130.215.36.18#53(NS.WPI.EDU) in 36 ms www.sanderson.mtrsd.k12.ma.us. 604800 IN CNAME www.mtrsd.k12.ma.us. sanderson.mtrsd.k12.ma.us. 604800 INNS dns-auth2.crocker.com. sanderson.mtrsd.k12.ma.us. 604800 INNS dns-auth1.crocker.com. ;; Received 156 bytes from 204.97.12.57#53(dns-auth2.crocker.com) in 42 ms $ dig sanderson.mtrsd.k12.ma.us ns ; DiG 9.3.1 sanderson.mtrsd.k12.ma.us ns ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 30698 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2 ;; QUESTION SECTION: ;sanderson.mtrsd.k12.ma.us. IN NS ;;
Re: off-list Re: Weird DNS issues for domains
whoops...sorry for the extraneous data... -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis+1-571-434-5468 NeuStar If you knew what I was thinking, you'd understand what I was saying.
Re: Weird DNS issues for domains
I just tested it from a Verizon DSL host and it worked. You might want to consider reading RFC 2182 though, particularly the part about geographically diverse nameservers. Yeah, yeah, that is overrated. If my site goes dark and my DNS goes down it doesn't really matter as the bandwidth and the web server will also be down. Having a live DNS server in another part of the country won't help if the access routers handling the traffic for the T1 to the school is also down. Geographically diverse name servers sounds great in theory but for this application it won't gain any redundancy. -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: Weird DNS issues for domains
If you are talking about strictly http, then you are probably right. If you are hosting any email, then this isn't the case. A live DNS but dead mail server will cause your mail to queue up for a later resend on the originating mail servers. A dead DNS will cause the mail to bounce as undeliverable. (Oh, and if any of your subs are on mailing lists, they will be unsubscribed en masse. A nice way to challenge your call center...) John At 12:06 PM 9/29/2005, Matthew Crocker wrote: I just tested it from a Verizon DSL host and it worked. You might want to consider reading RFC 2182 though, particularly the part about geographically diverse nameservers. Yeah, yeah, that is overrated. If my site goes dark and my DNS goes down it doesn't really matter as the bandwidth and the web server will also be down. Having a live DNS server in another part of the country won't help if the access routers handling the traffic for the T1 to the school is also down. Geographically diverse name servers sounds great in theory but for this application it won't gain any redundancy. -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: Weird DNS issues for domains
John Dupuy wrote: If you are talking about strictly http, then you are probably right. If you are hosting any email, then this isn't the case. A live DNS but dead mail server will cause your mail to queue up for a later resend on the originating mail servers. A dead DNS will cause the mail to bounce as undeliverable. (Oh, and if any of your subs are on mailing lists, they will be unsubscribed en masse. A nice way to challenge your call center...) A MTA bouncing mail on temporary DNS failure would be out of spec, horribly. Pete
Re: Weird DNS issues for domains
On Thu, 29 Sep 2005, John Dupuy wrote: If you are talking about strictly http, then you are probably right. If you are hosting any email, then this isn't the case. A live DNS but dead mail server will cause your mail to queue up for a later resend on the originating mail servers. A dead DNS will cause the mail to bounce as undeliverable. If a mail server is bouncing immediately on a DNS SERVFAIL (which is what you'll get when a remote DNS server is down), then that mail server is badly broken and will break quite a bit during tier1 failure situations. Failure to resolve != resolves to NXDOMAIN/empty. A failure to resolve (SERVFAIL) should result in the same queueing behavior that the remote SMTP server uses for failure to establish a TCP connection. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Weird DNS issues for domains
Todd Vierling wrote: On Thu, 29 Sep 2005, John Dupuy wrote: If you are talking about strictly http, then you are probably right. If you are hosting any email, then this isn't the case. A live DNS but dead mail server will cause your mail to queue up for a later resend on the originating mail servers. A dead DNS will cause the mail to bounce as undeliverable. If a mail server is bouncing immediately on a DNS SERVFAIL (which is what you'll get when a remote DNS server is down), then that mail server is badly broken and will break quite a bit during tier1 failure situations. Failure to resolve != resolves to NXDOMAIN/empty. A failure to resolve (SERVFAIL) should result in the same queueing behavior that the remote SMTP server uses for failure to establish a TCP connection. The problem I've seen is when an SMTP server does not accept emails which have non-resolvable MAIL FROM domain. When the sender is a dumb SMTP client, not an MTA, this can cause problems. (I noticed this happen to a high traffic customer who had both of their DNS servers in the same /24 located in Slidell, LA. Needless to say, they were down for more than a few hours when Katrina rolled through.) -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Re: Weird DNS issues for domains
I'll defer to you on this. Clearly a failure to resolve is not the same thing as a NXDOMAIN RCODE. And yet, personal experience has show that the failure of all a customer's DNS servers for a domain does cause swifter mail bouncing than would occur otherwise. I do not know if it was due to the other providers having broken MTAs or broken DNS servers/resolvers... Or maybe they were all flukes. I now wish I had investigated them more thoroughly for the few times I've seen it. John At 12:29 PM 9/29/2005, Todd Vierling wrote: On Thu, 29 Sep 2005, John Dupuy wrote: If you are talking about strictly http, then you are probably right. If you are hosting any email, then this isn't the case. A live DNS but dead mail server will cause your mail to queue up for a later resend on the originating mail servers. A dead DNS will cause the mail to bounce as undeliverable. If a mail server is bouncing immediately on a DNS SERVFAIL (which is what you'll get when a remote DNS server is down), then that mail server is badly broken and will break quite a bit during tier1 failure situations. Failure to resolve != resolves to NXDOMAIN/empty. A failure to resolve (SERVFAIL) should result in the same queueing behavior that the remote SMTP server uses for failure to establish a TCP connection. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Weird DNS issues for domains
You might want to consider reading RFC 2182 though, particularly the part about geographically diverse nameservers. Yeah, yeah, that is overrated. If my site goes dark and my DNS goes down it doesn't really matter as the bandwidth and the web server will also be down. and folk who would otherwise spool mail for you will throw it on the floor. enjoy. randy
Re: Weird DNS issues for domains
A MTA bouncing mail on temporary DNS failure would be out of spec, horribly. luckily no mail servers are out of spec. randy
Re: Weird DNS issues for domains
Matthew Crocker [EMAIL PROTECTED] writes: I just tested it from a Verizon DSL host and it worked. You might want to consider reading RFC 2182 though, particularly the part about geographically diverse nameservers. Yeah, yeah, that is overrated. If my site goes dark and my DNS goes down it doesn't really matter as the bandwidth and the web server will also be down. Having a live DNS server in another part of the country won't help if the access routers handling the traffic for the T1 to the school is also down. Geographically diverse name servers sounds great in theory but for this application it won't gain any redundancy. I wonder what that application could be... Single server with two addresses? Two servers behind a failing firewall? Well, if you don't care then why should we? There's definitely something seriously wrong with your configuration, and it is related to the two colocated servers. I sometimes get the result below. Works once, and then it fails because of answers from the wrong address: [EMAIL PROTECTED]:~$ dig www.mtrsd.k12.ma.us @dns-auth1.crocker.com ; DiG 9.2.4 www.mtrsd.k12.ma.us @dns-auth1.crocker.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34405 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.mtrsd.k12.ma.us. IN A ;; ANSWER SECTION: www.mtrsd.k12.ma.us.604800 IN A 159.250.29.161 ;; AUTHORITY SECTION: mtrsd.k12.ma.us.604800 IN NS dns-auth2.crocker.com. mtrsd.k12.ma.us.604800 IN NS dns-auth1.crocker.com. ;; ADDITIONAL SECTION: dns-auth2.crocker.com. 600 IN A 204.97.12.57 dns-auth1.crocker.com. 600 IN A 204.97.12.58 ;; Query time: 279 msec ;; SERVER: 204.97.12.58#53(dns-auth1.crocker.com) ;; WHEN: Thu Sep 29 21:11:17 2005 ;; MSG SIZE rcvd: 144 [EMAIL PROTECTED]:~$ dig www.mtrsd.k12.ma.us @dns-auth2.crocker.com ; DiG 9.2.4 www.mtrsd.k12.ma.us @dns-auth2.crocker.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44398 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.mtrsd.k12.ma.us. IN A ;; ANSWER SECTION: www.mtrsd.k12.ma.us.604800 IN A 159.250.29.161 ;; AUTHORITY SECTION: mtrsd.k12.ma.us.604800 IN NS dns-auth2.crocker.com. mtrsd.k12.ma.us.604800 IN NS dns-auth1.crocker.com. ;; ADDITIONAL SECTION: dns-auth2.crocker.com. 600 IN A 204.97.12.57 dns-auth1.crocker.com. 600 IN A 204.97.12.58 ;; Query time: 255 msec ;; SERVER: 204.97.12.57#53(dns-auth2.crocker.com) ;; WHEN: Thu Sep 29 21:11:21 2005 ;; MSG SIZE rcvd: 144 [EMAIL PROTECTED]:~$ dig www.mtrsd.k12.ma.us @dns-auth1.crocker.com ;; reply from unexpected source: 204.97.12.57#53, expected 204.97.12.58#53 ;; reply from unexpected source: 204.97.12.57#53, expected 204.97.12.58#53 ; DiG 9.2.4 www.mtrsd.k12.ma.us @dns-auth1.crocker.com ;; global options: printcmd ;; connection timed out; no servers could be reached After a while the session seems to time out and things will work again. Once, before the same shit happens again. Bjørn
Re: Weird DNS issues for domains
On Thu, 29 Sep 2005, Randy Bush wrote: You might want to consider reading RFC 2182 though, particularly the part about geographically diverse nameservers. Yeah, yeah, that is overrated. If my site goes dark and my DNS goes down it doesn't really matter as the bandwidth and the web server will also be down. and folk who would otherwise spool mail for you will throw it on the floor. enjoy. As I tried to explain in the other response, if this were the case with said unnamed MTAs, then a simple tier-1 outage (which is not all that uncommon) or a site under packet flood attacks would cause immediate bounces due to DNS timeouts. The same thing applies to a site whose DNS is simply unreachable because its link is down. When a MTA gets a failed lookup response, it should retry. When the domain *does* resolve, but resolves to *empty or nonexistent*, then the mail should bounce. When a DNS server is unreachable, it can hardly return a NXDOMAIN back to the requestor. 8-P -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Weird DNS issues for domains
Matthew Crocker [EMAIL PROTECTED] writes: Yeah, yeah, that is overrated. If my site goes dark and my DNS goes down it doesn't really matter as the bandwidth and the web server will also be down. Having a live DNS server in another part of the country won't help if the access routers handling the traffic for the T1 to the school is also down. Geographically diverse name servers sounds great in theory but for this application it won't gain any redundancy. Whether you consider traceroute works and I can see the packets fall off the map at $LOCATION better than a nameserver timeout is I suppose a matter of personal taste. In any event, it's my personal opinion that even if the nameservers aren't in the same building (geographically diverse per the RFC) that same prefix or even same origin AS represents a step away from goodness. In fact, what you're seeing right now *just might* be due to some kind of routing nastiness. The failure mode would be much easier to talk some enduser through debugging if the domain name at least resolved. Me, I have nameservers in Ashburn and Palo Alto, with additional ones coming online in London and Montreal (and maybe Tokyo) one of these years as time permits. Your mileage may vary, naturally; as you can see from this photograph, I really *am* a belt-and-suspenders sort of guy: http://www.seastrom.com/seips20030927-shooting.jpg ---Rob
Re: Weird DNS issues for domains
In article [EMAIL PROTECTED] you write: I just tested it from a Verizon DSL host and it worked. You might want to consider reading RFC 2182 though, particularly the part about geographically diverse nameservers. Yeah, yeah, that is overrated. If my site goes dark and my DNS goes down it doesn't really matter as the bandwidth and the web server will also be down. Having a live DNS server in another part of the country won't help if the access routers handling the traffic for the T1 to the school is also down. Geographically diverse name servers sounds great in theory but for this application it won't gain any redundancy. People say this but then they don't see the impact of not having DNS servers available. The DNS was designed with the idea that atleast one of the nameservers for a zone would always be reachable. A zone that is unreachable results in the caching servers using up resouces at 1000 times the normal rate. Milli-seconds to tens of seconds. Mark
