Maybe it's a difference between udp and tcp in your firewall? For most queries udp 53 is used but for long packets it might switch to tcp 53 - since you're doing an any you're going to get a lot more data.
-----Original Message----- From: bind-users-bounces+jlightner=water....@lists.isc.org [mailto:bind-users-bounces+jlightner=water....@lists.isc.org] On Behalf Of Glenn English Sent: Friday, March 19, 2010 4:13 PM To: bind-users@lists.isc.org Subject: T_ANY I posted this to the postfix users list: One of my users had problems receiving from Yahoo a couple days ago. The sender (in FLA) got this: >> From: "mailer-dae...@yahoo.com" <mailer-dae...@yahoo.com> >> To: xx...@yahoo.com >> Sent: Sun, March 7, 2010 5:51:09 PM >> Subject: failure notice >> >> Hi. This is the qmail-send program at yahoo.com. >> I'm afraid I wasn't able to deliver your message to the following addresses. >> This is a permanent error; I've given up. Sorry it didn't work out. >> >> <xx...@slsware.com>: >> CNAME lookup failed temporarily. (#4.4.3) >> I'm not going to try again; this message has been in the queue too long. I got responses saying that the problem was that my DNS ignores 'dig @ns1.slsware.com -t any slsware.com' (or 'dig +trace -t any slsware.com') and indeed it does, from outside. From inside it's fine, and '-t MX' works from anywhere. Yahoo's MTA (qmail) does T_ANY lookups, so it thinks there's nobody home at my nameserver. But I can't get anybody over on the postfix list to suggest what might be wrong. I spent the morning with google, and couldn't find anything that looked like it might be the answer. The obvious answer is firewalling, but I don't think that's it. A query from inside goes through the same PIX firewall as would a query from outside; the pix is configured "no fixup protocol dns"; I don't think IOS in the router knows anything about what type of DNS query is coming in; and the same query to the other nameserver ('dig @ns1.richeyrentals.com -t any slsware.com') also fails. That one's also behind a PIX, but has a non-IOS router. Both servers are Debian lenny, 'named -v' says BIND 9.5.1-P3, and bind's config check says it's OK. But it has nothing to do with any of that, I think, because the query works from inside. Any ideas? -- Glenn English g...@slsware.com _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. ---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ---------------------------------- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
