In message <1303906294.2246.93.camel@karl>, Karl Auer writes: > > Hi all. > > Well, I'm stumped. > > This is causing non-delivery of mail for the affected domain because it > is blocking fallback from IPv6 to IPv4 for the domain. The problem > smells like misconfigured IPv6 somewhere along the way, but all the > servers involved (that have IPv6 addresses) seem to be answering OK.
The SMTP server will be failing on the MX lookup if it is following the RFCs. A and AAAA should only be looked up after getting a NODATA response to a MX query. > Using our local caching, recursive BIND9 nameservers, we get SERVFAIL on > a particular domain, namely "mailergoat.rsi.co.jp". But from other > places, we get NOERROR (which is the correct answer, because there is a > A record with that name). However, from some places outside our network > we also get SERVFAIL. The nameservers for mailergoat.rsi.co.jp are broken. They return the *wrong* SOA record in the response which can clearly be seen at the end of a "dig +trace mailergoat.rsi.co.jp mx". mailergoat.rsi.co.jp. 600 IN NS gtm1.rsi.co.jp. mailergoat.rsi.co.jp. 600 IN NS gtm2.rsi.co.jp. ;; Received 108 bytes from 202.248.0.34#53(ns.center.web.ad.jp) in 304 ms rsi.co.jp. 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60 ;; Received 90 bytes from 202.25.214.15#53(gtm2.rsi.co.jp) in 395 ms The correct SOA record would be "mailergoat.rsi.co.jp 60 IN SOA gtm1.rsi.co.jp. hostmaster.gtm1.rsi.co.jp. 31 10800 3600 604800 60" all other things being equal. > Traces (using the +trace option to dig) are identical regardless of > where we do them, besides some reordering of the nameserver results, > which is normal. > > One oddity (at least it seems odd to me) is that a trace ends with two > nameservers, gtm1.rsi.co.jp and gtm2.rsi.co.jp, that are not present in > the nameserver list for rsi.co.jp, meaning that the domain > mailergoat.rsi.co.jp has been delegated to them. When I ask either of > those servers directly for the nameserver records for > mailergoat.rsi.co.jp, I get NOERROR, but no answer. Asking those servers > for "ANY" records for that name shows an A record and a TXT (SPF) record > only. That makes this a lame delegation - but why do some recursive > nameservers report it as SERVFAIL and some as NOERROR? A difference > between nameservers, or nameserver versions? Different tolerances for errors. Adding a MX record here will help. One really shouldn't be depending apon the implicit MX records generated from the A and AAAA records. > Any ideas gratefully received. See below for dig outputs demonstrating > the above statements. > > Regards, K. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
