Hi Thomas,
here were results of my local testing. Very quick. Not sure why it is
so slow for you but then I don't know where you are in the world
either. As for why the discrepancy in response times when you restart
BIND, I don't know what that could be....
dig mallorcazeitung.es in ns
; <<>> DiG 9.18.25 <<>> mallorcazeitung.es in ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53938
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: a1d4e2191029e8a301000000665a074027bf0bd4dd02605a (good)
;; QUESTION SECTION:
;mallorcazeitung.es. IN NS
;; ANSWER SECTION:
mallorcazeitung.es. 3600 IN NS ns1.epi.es.
mallorcazeitung.es. 3600 IN NS ns2.epi.es.
;; ADDITIONAL SECTION:
ns1.epi.es. 86305 IN A 213.0.95.2
ns2.epi.es. 86305 IN A 213.4.119.2
;; Query time: 226 msec
;; SERVER: 192.168.40.42#53(192.168.40.42) (UDP)
;; WHEN: Fri May 31 13:22:08 EDT 2024
;; MSG SIZE rcvd: 149
----
dig s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. IN TXT
@213.0.95.2 +norecurse
; <<>> DiG 9.18.25 <<>>
s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. IN TXT @213.0.95.2
+norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13372
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. IN TXT
;; ANSWER SECTION:
s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. 300 IN TXT
"v=DKIM1; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8pJ/7Q8Cdtq8BXrF5XpYg4sgR27AyI/fdAlHrU8CcNj2ook9Jwqw2wqBP0voitvqR6U9hy6EPYK/Fz20j0SPc9lDnC1AxiRU22TjffELgR5pQg+lMB71EB41Vj2kCuID6243ABsMSVwAMAnYtA3qgTfmMhEiASF66f8nm1wKpBQIDAQAB"
;; AUTHORITY SECTION:
mallorcazeitung.es. 259200 IN NS ns1.epi.es.
mallorcazeitung.es. 3600 IN NS ns2.epi.es.
;; Query time: 113 msec
;; SERVER: 213.0.95.2#53(213.0.95.2) (UDP)
;; WHEN: Fri May 31 13:25:48 EDT 2024
;; MSG SIZE rcvd: 355
---
dig s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. IN TXT
@213.4.119.2 +norecurse
; <<>> DiG 9.18.25 <<>>
s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. IN TXT
@213.4.119.2 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24794
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. IN TXT
;; ANSWER SECTION:
s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. 300 IN TXT
"v=DKIM1; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8pJ/7Q8Cdtq8BXrF5XpYg4sgR27AyI/fdAlHrU8CcNj2ook9Jwqw2wqBP0voitvqR6U9hy6EPYK/Fz20j0SPc9lDnC1AxiRU22TjffELgR5pQg+lMB71EB41Vj2kCuID6243ABsMSVwAMAnYtA3qgTfmMhEiASF66f8nm1wKpBQIDAQAB"
;; AUTHORITY SECTION:
mallorcazeitung.es. 259200 IN NS ns1.epi.es.
mallorcazeitung.es. 3600 IN NS ns2.epi.es.
;; Query time: 115 msec
;; SERVER: 213.4.119.2#53(213.4.119.2) (UDP)
;; WHEN: Fri May 31 13:25:28 EDT 2024
;; MSG SIZE rcvd: 355
Thank you,
Darren Ankney
On Fri, May 31, 2024 at 1:15 PM Thomas Barth via bind-users
<bind-users@lists.isc.org> wrote:
>
> Hello,
>
> I use bind9 on my mail server so that Spamassassin can perform the
> necessary DNS blocklist queries. Since it has already happened several
> times that I have to restart bind9 so that a certain domain can still be
> resolved, I wanted to ask if anyone knows where I have to set something.
>
> A mail user regularly receives a newsletter from Spain. But the query to
> check the DKIM signature sometimes leads to a communication error,
> timeout and a write error. I am then informed of these errors by e-mail
> so that I can restart bind9 promptly. Because then it works smoothly
> again until this problem occurs again at some point.
>
> Domain of DKIM-request (duration when the problem occurs 4992 msec!)
> ############
> dig s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es
> ;; communications error to 127.0.0.1#53: timed out
>
> ; <<>> DiG 9.18.24-1-Debian <<>>
> s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35945
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 69cb0f9615955ad7010000006659b7dd9477fff265ac63f6 (good)
> ;; QUESTION SECTION:
> ;s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. IN A
>
> ;; Query time: 4992 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> ;; WHEN: Fri May 31 13:43:25 CEST 2024
> ;; MSG SIZE rcvd: 107
> ############
>
> Then after restarting bind9 (1800 msec)
>
> ############
> ; <<>> DiG 9.18.24-1-Debian <<>>
> s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33426
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 1ce3693ff4b0e24a010000006659b802511c16009f2773b0 (good)
> ;; QUESTION SECTION:
> ;s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es. IN A
>
> ;; AUTHORITY SECTION:
> mallorcazeitung.es. 2560 IN SOA ns1.epi.es.
> hostmaster.mallorcazeitung.es. 1717151222 16384 2048 1048576 2560
>
> ;; Query time: 1800 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> ;; WHEN: Fri May 31 13:44:02 CEST 2024
> ;; MSG SIZE rcvd: 182
> ############
>
> 1.8 seconds seems usual for this domain, no idea why, a query from the
> Bank of China is faster \o/
>
> In the Postfix journal I can read:
>
> ############
> May 30 13:40:50 mx1 postfix/smtpd[257112]: warning: timeout talking to
> proxy localhost:10024
> May 30 13:40:50 mx1 postfix/smtpd[257112]: proxy-reject: END-OF-MESSAGE:
> 451 4.3.0 Error: queue file write error; ...
> ############
>
> My settings in /etc/bind/named.conf.options (Debian 12.5) are:
>
> ############
> acl goodclients {
> 127.0.0.0/8;
> localhost;
> };
>
> options {
> directory "/var/cache/bind";
>
> recursion yes;
> allow-query { goodclients; };
>
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the addresses replacing
> // the all-0's placeholder.
>
> //forwarders {
> // 9.9.9.9;
> // 149.112.112.112;
> //};
>
>
> //========================================================================
> // If BIND logs error messages about the root key being expired,
> // you will need to update your keys. See
> https://www.isc.org/bind-keys
>
> //========================================================================
> dnssec-validation auto;
>
> listen-on { any; };
> listen-on-v6 { none; };
> };
> ############
>
> Any idea for improving the config?
>
> And this "after disabling qname minimization due to" thing seems to slow
> down the requests?
> ############
> named[287800]: success resolving
> 's1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es/A' after disabling
> qname minimization due to 'ncache nxdomain'
> ############
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
