CNAME lookup failed temporarily
Michael Hutchinson
Hi all,
I’ve noticed we are not able to deliver mail for a handful of domains, and in our qmail logs I get these messages for every one of those domains we cannot deliver to:
delivery 431155: deferral: CNAME_lookup_failed_temporarily._(#4.4.3)/
I have done host lookups with our mail server on these domains, and it tells me that there is no A record for them. However, a lookup on our windows boxes seems to work fine.
Googling the error says that we could be receiving a bigger than 512-byte lookup answer and qmail cannot handle that. I do not think this is the case as we have been able to deliver to these domains just fine until two days ago. The answer supplied for this problem is to install djb’s dns server. Well, we already have Bind9 – so I don’t understand how we can have two Dns servers on one system.
Any help would be muchly appreciated. I can supply more information, but don’t know what would be relevant.
Cheers,
Michael Hutchinson
Michael Elson
It is possible to run multiple DNS servers on one server. Someone could potentially run BIND for external DNS and djbdns for internal DNS, depending on what you are trying to accomplish. But, that is not a common setup. If it just stopped working within the past two days, then chances are something quit working? Or did you update/modify your server configuration? Most CNAME lookups fail if the mail server is having a DNS issue.
1) What is the nameserver you have in /etc/resolv.conf?
2) What are the DNS Servers: on the windows boxes (ipconfig /all)?
3) What is the IP that BIND is configured to listen on?
4) Try this test…
nslookup
> server localhost
> set type=mx
> thedomainyouhaveproblemswith.com
??
-Mike
Michael Hutchinson
> From: Sasa Ugrenovic [mailto:sa...@admin-networks.org]
> Sent: Thursday, 28 February 2008 11:14 a.m.
> To: Michael Hutchinson
> Cc: qm...@list.cr.yp.to
> Subject: Re: CNAME lookup failed temporarily
>
> You need to watch for MX record, host -t MX domain.com
> Anyway, if you looked up, and there's no A record probably there's no
MX
> record too because the problem is maybe with resolver or firewall
blocking
> neccesary ports.
>
> If theres no MX record too
> Compare DNS resolver settings on working machines (windows boxes?) and
> /etc/resolv.conf on (Linux?) box.
> And do whatever you think is best. Fix the resolver from resolv.conf
or
> use those servers that windows uses.
>
> Hope thats the issue and this helps.
Hmm. Seems to me there is something afoot with the host information I am
getting.
This command:
host -t MX trigg.co.nz
works fine and provides correct output. I am aware that qmail doesn't do
this. I understand it does an ALL search and then filters it for MX
records. But the response for:
host trigg.co.nz
responds with "trigg.co.nz A record currently not present"
unless I do:
host www.trigg.co.nz
which gives a valid A record response, but Qmail wont be doing that. It
smells a bit like a dns configuration issue, but then I am getting this
problem for 7 different domains. They all have the "no A record issue"
if I use "host domain.com", but "host -t mx domain.com" works, and so
does "host www.domain.com".
I have used dig on another linux box to check for the whole 512byte
issue, but the lookups we are doing are barely half that amount of
bytes.
Now I am getting confused. It would seem that many domains we CAN
deliver mail to, respond just fine to a "host domain.com" request,
responding in a valid A record.
<shrugs shoulders>
Beats me
Cheers,
Mike
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-...@muc.de
Michael Hutchinson
Hi There,
Our config has not changed, the most our mail server has seen in the way of config for the past 2 or 3 weeks are spamassassin rules. Heh.
It sounds like we are having a DNS issue, so I asked a friend if he could use his linux email server running qmail to send to trigg.co.nz, which he couldn’t do straight away, he got deferred delivery just like I have for the same reason, CNAME_lookup_failed_temporarily. Except, his did deliver about 5 minutes later. I am beginning to think it has something to do with the dns server that is looking up that domain for us, but technically, qmail is meant to use the destination domain’s dns server to do this.
1: resolv.conf :
nameserver 127.0.0.1
2: results in an in-house windows dns server. I think the information is passed on from our ISP’s dns server.
3: I don’t know how you specify an IP for bind to listen on, it certainly is not in named.conf
4: MX lookups appear to be fine, but I don’t believe qmail is doing this. I believe it is doing a full lookup, and then filtering for the MX records.
All of the domains that do not deliver fail this test “host domain.com” – saying there is no A record for that domain.
But if I prefix the domain with www, I get an A record.
Domains I can deliver to do not fail the “host domain.com” test, they all report an A record. Is it normal behaviour to not have an A record for the basic domain name? I mean, it just seems silly to only have an A record for the www prefix of the domain. I could be wrong, I am no DNS expert.
Cheers,
Mike
From:
Michael Elson [mailto:Mi...@Prosites.com]
Sent: Thursday, 28 February 2008
11:34 a.m.
To: Michael
Hutchinson; qm...@list.cr.yp.to
Subject: RE: CNAME lookup failed
temporarily
It is possible to run multiple DNS servers on one server. Someone could potentially run BIND for external DNS and djbdns for internal DNS, depending on what you are trying to accomplish. But, that is not a common setup. If it just stopped working within the past two days, then chances are something quit working? Or did you update/modify your server configuration? Most CNAME lookups fail if the mail server is having a DNS issue.
1) What is the nameserver you have in /etc/resolv.conf?
2) What are the DNS Servers: on the windows boxes (ipconfig /all)?
3) What is the IP that BIND is configured to listen on?
4) Try this test…
nslookup
> server localhost
> set type=mx
> thedomainyouhaveproblemswith.com
??
-Mike
From:
Michael Hutchinson
[mailto:mhutc...@manux.co.nz]
Sent: Wednesday, February 27, 2008
1:50 PM
To: qm...@list.cr.yp.to
Subject: CNAME lookup failed
temporarily
Hi all,
Kyle Wheeler
>Hmm. Seems to me there is something afoot with the host information I
>am getting. This command:
>host -t MX trigg.co.nz
>
>works fine and provides correct output. I am aware that qmail doesn't
>do this. I understand it does an ALL search and then filters it for
>MX records. But the response for:
>
>host trigg.co.nz
>
>responds with "trigg.co.nz A record currently not present"
If what you're getting is "CNAME lookup failed temporarily", then you
need to be testing CNAME lookups:
host -t CNAME trigg.co.nz
or
dig trigg.co.nz CNAME
The answer from my DNS server is 29 bytes. How big is yours?
~Kyle
--
No one loves armed missionaries.
-- Maximilien Robespierre
Michael Hutchinson
> From: Kyle Wheeler [mailto:kyle-...@memoryhole.net]
> Sent: Thursday, 28 February 2008 12:10 p.m.
> To: qm...@list.cr.yp.to
> Subject: Re: CNAME lookup failed temporarily
>
Hi Kyle,
You help so many people on so many lists, I don't know how you find the
time :)
OK for host -t CNAME trig.co.nz I get:
# host -t CNAME trigg.co.nz
trigg.co.nz CNAME record currently not present
Our mailserver doesn't have dig. I used it from another linux box on the
same network:
s:~# dig trigg.co.nz CNAME
; <<>> DiG 9.2.4 <<>> trigg.co.nz CNAME
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39379
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;trigg.co.nz. IN CNAME
;; AUTHORITY SECTION:
trigg.co.nz. 10800 IN SOA ns.cns.co.nz.
dns.cns.co.nz. 2008021801 43200 3600 1036800 43200
;; Query time: 22 msec
;; SERVER: 192.168.6.2#53(192.168.6.2)
;; WHEN: Thu Feb 28 12:24:18 2008
;; MSG SIZE rcvd: 76
Err.. is the MSG SIZE bit the amount of bytes the response is ? I know
how to tell from the host command, but I don't know dig at all.
Michael Hutchinson
> > If what you're getting is "CNAME lookup failed temporarily", then
you
> > need to be testing CNAME lookups:
> >
> > host -t CNAME trigg.co.nz
> >
> > or
> >
> > dig trigg.co.nz CNAME
> >
> > The answer from my DNS server is 29 bytes. How big is yours?
>
It might be worth noting that I had a friend test delivery to
trigg.co.nz from his mail server in Timaru, which runs Qmail. He
exhibited the same issue for about 5 minutes, with the whole CNAME
lookup failed temp. message. After that, the email actually did deliver.
I don't know what is so different about his setup that it eventually
worked, but the fact that it failed with the same message at the start
would suggest that the problem is not specific to our mail server,
right? I hope so.
Sasa Ugrenovic
Type host -t MX domain.that.cant.resolve 127.0.0.1
If you don't get reply, then its faulty resolver. Change that IP address in resolv.conf to working one.
Kind Regards,
-lb
On Thu, 28 Feb 2008 12:08:47 +1300
"Michael Hutchinson" <mhutc...@manux.co.nz> wrote:
> 1: resolv.conf :
>
> nameserver 127.0.0.1
Igor Smitran
the line upstream DNS forbids it to do reverse lookup. Check your upstream
DNS for allow-recursion lines.
Regards,
Igor
----- Original Message -----
From: "Sasa Ugrenovic" <sa...@admin-networks.org>
To: "Michael Hutchinson" <mhutc...@manux.co.nz>
Cc: <qm...@list.cr.yp.to>
Sent: Wednesday, February 27, 2008 11:14 PM
Subject: Re: CNAME lookup failed temporarily
> You need to watch for MX record, host -t MX domain.com
> Anyway, if you looked up, and there's no A record probably there's no MX
> record too because the problem is maybe with resolver or firewall blocking
> neccesary ports.
>
> If theres no MX record too
> Compare DNS resolver settings on working machines (windows boxes?) and
> /etc/resolv.conf on (Linux?) box.
> And do whatever you think is best. Fix the resolver from resolv.conf or
> use those servers that windows uses.
>
> Hope thats the issue and this helps.
>
> -lb
>
>
> On Thu, 28 Feb 2008 10:49:33 +1300
> "Michael Hutchinson" <mhutc...@manux.co.nz> wrote:
>
>> I have done host lookups with our mail server on these domains, and it
>> tells me that there is no A record for them. However, a lookup on our
>> windows boxes seems to work fine.
>
>
> __________ NOD32 2906 (20080227) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
Kyle Wheeler
>You help so many people on so many lists, I don't know how you find
>the time :)
;) Mostly, just the two.
># host -t CNAME trigg.co.nz
>trigg.co.nz CNAME record currently not present
Well, that's not a failure, which is the important part.
>;; MSG SIZE rcvd: 76
Fair enough.
So, now we recreate what qmail *really* does, which is send an ANY
query:
host -t ANY trigg.co.nz
dig trigg.co.nz ANY
Here's what digg gives me when I query a BIND server:
; <<>> DiG 9.3.4 <<>> trigg.co.nz ANY
;; global options: printcmd
;; Got answer:
;; ->>HEAER<<- opcode: QUERY, status: NOERROR, id: 12769
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;trigg.co.nz. IN ANY
;; ANSWER SECTION:
trigg.co.nz. 86400 IN NS ns.cns.co.nz.
trigg.co.nz. 86400 IN NS ns.canon.co.nz.
;; AUTHORITY SECTION:
trigg.co.nz. 86400 IN NS ns.cns.co.nz.
trigg.co.nz. 86400 IN NS ns.canon.co.nz.
;; ADDITIONAL SECTION:
ns.cns.co.nz. 86400 IN A 60.234.30.28
ns.canon.co.nz. 86400 IN A 60.234.28.75
;; Query time: 96 msec
;; SERVER: 134.253.16.5#53(134.253.16.5)
;; WHEN: Thus Feb 28 15:24:16 2008
;; MSG SIZE rcvd: 133
The message size there is still plenty small enough for qmail.
Interestingly, if I try and make an ANY request directly of their
nameservers (e.g. `dig @ns.cns.co.nz trigg.co.nz ANY`), the request is
refused.
I'm no DNS expert, but I bet that's what might be mucking things up.
>Err.. is the MSG SIZE bit the amount of bytes the response is ?
Yup.
~Kyle
--
It is a tragic mix-up when the United States spends $500,000 for every
enemy soldier killed, and only $53 annually on the victims of poverty.
-- Reverend Martin Luther King, Jr.
John Johnstone
> Hi There,
...
> All of the domains that do not deliver fail this test “host domain.com”
> – saying there is no A record for that domain.
>
> But if I prefix the domain with www, I get an A record.
>
> Domains I can deliver to do not fail the “host domain.com” test, they
> all report an A record. Is it normal behaviour to not have an A record
> for the basic domain name? I mean, it just seems silly to only have an A
> record for the www prefix of the domain. I could be wrong, I am no DNS
> expert.
Domain names are used for web serving and e-mail but not in the same way
for each case. Much of this is spelled out in RFC 2821, particularly
section 5. All of us involved with mail servers should be pretty
familiar with that RFC, right? It's unfortunate but domain names were
used for e-mail delivery before there were web servers. Most of us
today are more familiar with the web, it has tended to handicap our
understanding of how domain name handling works in the broader sense.
Generally speaking, to deliver a message, a mail server should take the
domain portion of the email address, trigg.co.nz in your case, and first
try an MX record lookup on that. If that succeeds, it tries to resolve
the name it got into an IP address and attempts to connect to that address.
If the server is unable to retrieve an MX record, it then tries to
lookup a CNAME for trigg.co.nz. If that succeeds, it starts the process
over again to try to come up with and IP address to connect to. If
there is no CNAME either, it should try to lookup an A record for
trigg.co.nz. If that fails, then the delivery fails. The lack of an A
record for trigg.co.nz is a non-issue for e-mail delivery as long as
there is an MX record or CNAME.
In many cases, for convenience in accessing a web site, the owner of a
domain will define an A record for that domain to be equivalent to the
host in that domain that has the web server. This could be example.com
having an an A record of 1.2.3.4 which would be the same as
www.example.com's A record of 1.2.3.4.
The CNAME_lookup_failed_temporarily error should occur when an error is
returned by the lookup attempt. It shouldn't occur when a successful
answer comes back from the lookup attempt that says that a CNAME doesn't
exist. A CNAME lookup here for trigg.co.nz returns successfully saying
there isn't one. An MX lookup returns mail.trigg.co.nz and
203.89.183.110 so maybe there was just a transient DNS problem.
There's a site that my company was sending mail to that always returns a
failure for a CNAME lookup i.e. a dig status of SERVFAIL. That resulted
in mail not being deliverable to that domain until I created an
smtproutes entry that pointed to the domain's mail server host name.
There is more about this at:
http://homepages.tesco.net./~J.deBoynePollard/Softwares/qmail/#any-to-cname
And a link that I got from John Simpson's site:
http://www.faqts.com/knowledge_base/entry/versions/index.phtml?aid=28942
I wanted to look into this more since I suspect that qmail is broken
with respect to MX, CNAME, A record handling but I never got the time.
It's somethat moot since 99+% of the time mail is delivered without any
problems in that area.
>
>
>
> Cheers,
>
> Mike
--
John J.
Michael Hutchinson
> From: Kyle Wheeler [mailto:kyle-...@memoryhole.net]
> Sent: Friday, 29 February 2008 10:49 a.m.
> To: qm...@list.cr.yp.to
> Subject: Re: CNAME lookup failed temporarily
>
It turns out after some testing that we were not the only affected site.
I had a friend run some tests on his Qmail server in Timaru, and he
reported the same DNS problem. We banded together and ran some tests
against different DNS servers, and noticed we were getting different
responses, from the denial you received, Kyle, to "proper" responses
from Actrix DNS servers.
So either there was/is an upstream DNS problem, or mis-configured DNS
entries over at ns.cns.co.nz
I also get an error when I do a 'host -t ANY trigg.co.nz' saying ANY
record not found, server failure. Presumably this means the dns server.
At least, from that, I can determine that it is not my server to blame,
it is the information it is receiving when doing a DNS lookup at our
provider.
Is there a trick I can use with resolv.conf to temporarily get qmail to
deliver mail to the site? I know I can setup a basic translation from
domain name to ips, but will that give Qmail what it needs or will I
continue to get this CNAME problem?
Cheers
Michael Hutchinson
Michael Hutchinson
> From: John Johnstone [mailto:jjohn...@tridentusa.com]
> Sent: Friday, 29 February 2008 3:47 p.m.
> To: qm...@list.cr.yp.to
> Subject: Re: CNAME lookup failed temporarily
>
> > Hi There,
> ...
>
> >
> > But if I prefix the domain with www, I get an A record.
> >
> > Domains I can deliver to do not fail the "host domain.com" test,
they
> > all report an A record. Is it normal behaviour to not have an A
record
> > for the basic domain name? I mean, it just seems silly to only have
an A
> > record for the www prefix of the domain. I could be wrong, I am no
DNS
> > expert.
>
Thanks for the information. I should read more RFC's, and apologise for
being an intrepid pain to you guys that do know them.
It does sound like a transient DNS problem, about half of the servers I
tested for lookups against trigg.co.nz gave me incorrect responses, and
yet the other half worked fine.
I have decided to go the smtproutes path to creating a temporary fix.
Thankyou very much for supplying this information. Rather required for
any Qmail admin, I imagine.
Cheers,
Michael Hutchinson