Problem with a certain domain

Fri, 31 May 2024 10:15:16 -0700 

Hello,
I use bind9 on my mail server so that Spamassassin can perform the necessary DNS blocklist queries. Since it has already happened several times that I have to restart bind9 so that a certain domain can still be resolved, I wanted to ask if anyone knows where I have to set something. 


A mail user regularly receives a newsletter from Spain. But the query to 
check the DKIM signature sometimes leads to a communication error, 
timeout and a write error. I am then informed of these errors by e-mail 
so that I can restart bind9 promptly. Because then it works smoothly 
again until this problem occurs again at some point.


Domain of DKIM-request (duration when the problem occurs 4992 msec!)
############
dig s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es
;; communications error to 127.0.0.1#53: timed out


; <<>> DiG 9.18.24-1-Debian <<>> 
s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35945
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 69cb0f9615955ad7010000006659b7dd9477fff265ac63f6 (good)
;; QUESTION SECTION:
;s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. IN A

;; Query time: 4992 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri May 31 13:43:25 CEST 2024
;; MSG SIZE  rcvd: 107
############

Then after restarting bind9 (1800 msec)

############

; <<>> DiG 9.18.24-1-Debian <<>> 
s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33426
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1ce3693ff4b0e24a010000006659b802511c16009f2773b0 (good)
;; QUESTION SECTION:
;s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. IN A

;; AUTHORITY SECTION:

mallorcazeitung.es.	2560	IN	SOA	ns1.epi.es. 
hostmaster.mallorcazeitung.es. 1717151222 16384 2048 1048576 2560


;; Query time: 1800 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri May 31 13:44:02 CEST 2024
;; MSG SIZE  rcvd: 182
############


1.8 seconds seems usual for this domain, no idea why, a query from the 
Bank of China is faster \o/


In the Postfix journal I can read:

############

May 30 13:40:50 mx1 postfix/smtpd[257112]: warning: timeout talking to 
proxy localhost:10024
May 30 13:40:50 mx1 postfix/smtpd[257112]: proxy-reject: END-OF-MESSAGE: 
451 4.3.0 Error: queue file write error; ...

############

My settings in /etc/bind/named.conf.options (Debian 12.5) are:

############
acl goodclients {
        127.0.0.0/8;
        localhost;
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query { goodclients; };

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        //forwarders {
        //      9.9.9.9;
        //      149.112.112.112;
        //};

        
//========================================================================
        // If BIND logs error messages about the root key being expired,

	// you will need to update your keys.  See 
https://www.isc.org/bind-keys

        
//========================================================================
        dnssec-validation auto;

        listen-on { any; };
        listen-on-v6 { none; };
};
############

Any idea for improving the config?


And this "after disabling qname minimization due to" thing seems to slow 
down the requests?

############

named[287800]: success resolving 
's1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es/A' after disabling 
qname minimization due to 'ncache nxdomain'

############


--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to