> On Nov 16, 2021, at 8:03 PM, Henrik K <h...@hege.li> wrote:
>
> On Tue, Nov 16, 2021 at 01:08:16PM -0700, Philip Prindeville wrote:
>>
>> Or http.sh points to an NS that's offline...
>
> Your resolver shoukd time out _way_ sooner than some minutes.
>
>> Can the async lookup be back-ported?
>
> No, and there will be no new 3.4 releases.
>
Yeah, I still need to figure that out...
When I run "dig -t any http.sh" it times out after a few seconds. But
SpamAssassin is doing something very different. Not sure why.
In any case, the workaround seems to be:
uri_block_exclude __L_BLOCK_ISP ... http.sh shlom.in
Where not resolving these last two domains makes the timeouts go away. Note
that the pathology is the same in both cases:
philipp@macbook3 ~ % dig @8.8.8.8 -tns shlom.in.
; <<>> DiG 9.10.6 <<>> @8.8.8.8 -tns shlom.in.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38665
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;shlom.in. IN NS
;; ANSWER SECTION:
shlom.in. 300 IN NS ns1gmz.name.com.
shlom.in. 300 IN NS ns2jrt.name.com.
shlom.in. 300 IN NS ns3qtx.name.com.
shlom.in. 300 IN NS ns4blx.name.com.
;; Query time: 84 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Dec 26 15:25:44 MST 2021
;; MSG SIZE rcvd: 129
philipp@macbook3 ~ %
philipp@macbook3 ~ % dig @8.8.8.8 -tns http.sh.
; <<>> DiG 9.10.6 <<>> @8.8.8.8 -tns http.sh.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10013
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;http.sh. IN NS
;; ANSWER SECTION:
http.sh. 60 IN CNAME park.io.
park.io. 14797 IN NS ns-1348.awsdns-40.org.
park.io. 14797 IN NS ns-1624.awsdns-11.co.uk.
park.io. 14797 IN NS ns-441.awsdns-55.com.
park.io. 14797 IN NS ns-672.awsdns-20.net.
;; Query time: 245 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Dec 26 15:25:03 MST 2021
;; MSG SIZE rcvd: 197
philipp@macbook3 ~ %
Seems a little broken that the NS records aren't accompanied by 'A' glue
records, but that's not catastrophic... normally a 2nd query would be done.
Should the resolver code in SpamAssassin be more robust when it comes to such
failures?
philipp@macbook3 ~ % dig -ta ns-1348.awsdns-40.org.
; <<>> DiG 9.10.6 <<>> -ta ns-1348.awsdns-40.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37011
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns-1348.awsdns-40.org. IN A
;; ANSWER SECTION:
ns-1348.awsdns-40.org. 78740 IN A 205.251.197.68
;; Query time: 51 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Dec 26 15:27:16 MST 2021
;; MSG SIZE rcvd: 66
philipp@macbook3 ~ % dig @205.251.197.68 -ta http.sh
; <<>> DiG 9.10.6 <<>> @205.251.197.68 -ta http.sh
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 28411
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;http.sh. IN A
;; Query time: 67 msec
;; SERVER: 205.251.197.68#53(205.251.197.68)
;; WHEN: Sun Dec 26 15:27:32 MST 2021
;; MSG SIZE rcvd: 25
philipp@macbook3 ~ %
I'm not exactly sure what's falling down or why.
Is there anyone with more BIND-fu than me that's willing to venture a guess?
-Philip
