Help - Name server timeout

[Simon Dullingham]

I have been having trouble with my own ISP being able to send mail to my company's domain. Occasionally things get through, but in general I get a "Name server timeout" message, and after 5 days the email gets returned as undeliverable.

I have upgraded sendmail to 8.11.5 and BIND to 9.2.0, rc1 to see whether that solves the problem, but I still seem to have a problem. I am trying to send from @austin.rr.com to @fantoft.com.

Can any one help?

Thanks in advance

[Kevin Darcy]

fantoft.com has a delegation mismatch. It's delegated from "com" to "dns1.fantoft.com" and "dns2.fantoft.com", but it publishes only "raptor.fantoft.com" in its NS records.

You should tell them to fix that. The NS records should match the delegations and vice versa.

It's also not very reliable to have only 1 nameserver for the zone.

- Kevin

[Will Yardley]

Simon Dullingham wrote:
> I have been having trouble with my own ISP being able to send mail to my
> company's domain. Occasionally things get through, but in general I get a
> "Name server timeout" message, and after 5 days the email gets returned as
> undeliverable.
>
> I have upgraded sendmail to 8.11.5 and BIND to 9.2.0, rc1 to see whether
> that solves the problem, but I still seem to have a problem. I am trying to
> send from @austin.rr.com to @fantoft.com.

there is no A record for that domain. i believe that sendmail by default
won't send mail to, or receive mail from, domains that don't have an A record
that resolves. there are some options in sendmail to not canonify sender and
/ or recipient domains, or not to make sure that the sender / recipient
domain has an A record. the simple thing to do if you have control over your
domain's DNS is to add an A record; this is really a sendmail configuration
problem though rather than a DNS problem.

you could try something like this
CANONIFY_DOMAIN(`yourdomain.com')
FEATURE(`nocanonify', `canonify_hosts')dnl
(note - this will also disable canonification so if you're not using the
machine running sendmail purely as a mail gateway you might want to figure
out some resolver options to add to the sendmail configuration rather than
using nocannonify).

for incoming mail, you can use:
FEATURE(accept_unresolvable_domains)

jazz% dig fantoft.com

; <<>> DiG 9.2.0rc1 <<>> fantoft.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28586
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;fantoft.com. IN A

;; AUTHORITY SECTION:
fantoft.com. 10800 IN SOA raptor.fantoft.com. root.fantoft.com. 2000121449 10800 3600 604800 86400

;; Query time: 948 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 17 14:34:07 2001
;; MSG SIZE rcvd: 77

--
Sintax error in config file! (line 378)
aborted!

[Barry Margolin]

In article <9lk3vq$2...@pub3.rc.vix.com>,

Will Yardley <willi...@hq.newdream.net> wrote:
>there is no A record for that domain. i believe that sendmail by default
>won't send mail to, or receive mail from, domains that don't have an A record
>that resolves.

You seem to have completely forgotten about MX records. One of the reasons
MX records were created was to allow mailing to addresses that aren't on
the Internet, and therefore don't have A records.

--
Barry Margolin, bar...@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

[Jim Reid]

>>>>> "Barry" == Barry Margolin <bar...@genuity.net> writes:

Barry> You seem to have completely forgotten about MX records.
Barry> One of the reasons MX records were created was to allow
Barry> mailing to addresses that aren't on the Internet, and
Barry> therefore don't have A records.

In case Barry's comment confuses anyone, those (email) addresses that
were not on the internet were reached via SMTP gateways that did have
A records and lived on the internet.

Does anyone else remember UUCP, BITNET or even X.400?

[Simon Dullingham]

Barry,

It did not seem correct to me that fantoft.com must exist as an A record.
Most sites that I am aware just point it at their web server, anyway. Plus I
did not think that anything other than MX records were used...

Simon

"Barry Margolin" <bar...@genuity.net> wrote in message
news:9lk8im$2...@pub3.rc.vix.com...

[Will Yardley]

Barry Margolin wrote:
> Will Yardley <willi...@hq.newdream.net> wrote:

> >there is no A record for that domain. i believe that sendmail by default
> >won't send mail to, or receive mail from, domains that don't have an A record
> >that resolves.

> You seem to have completely forgotten about MX records. One of the reasons
> MX records were created was to allow mailing to addresses that aren't on
> the Internet, and therefore don't have A records.

no - i haven't forgotten about MX records. however some versions of
sendmail (especially more recent ones such as the version used by the
person who wrote in) do checks to see if a hostname resolves
cannonically by default - if you don't want sendmail to perform these
checks you have to add stuff to the sendmail configuration file. for
instance some versions of sendmail will refuse mail from a domain that
doesn't have an A record (even if there's an MX record), and the same
for sending mail (or at least that's my understanding). This is why
there are options like 'Accept_unresolvable_domains'. There are also
some problems in 8.12 if sendmail gets the wrong kind of response for an
aaaa record if sendmail is configured for ipv6

for instance i was having problems with sendmail 8.12 beta and the
domain 'prodigy.net.mx'. there is a 'servfail' response when asking for
an aaaa record instead of an empty response with an soa record.

this seems to cause problems with the cannonification process in
some versions of sendmail.

w

[Jim Reid]

>>>>> "Will" == Will Yardley <willi...@hq.newdream.net> writes:

Will> for instance i was having problems with sendmail 8.12 beta
Will> and the domain 'prodigy.net.mx'. there is a 'servfail'
Will> response when asking for an aaaa record instead of an empty
Will> response with an soa record.

While there may or may not be a problem with sendmail's handling of
AAAA records, this is ultimately a problem with the name servers for
prodigy.net.mx. They are all running an old version of BIND, 8.1.2.
None of them are answering authoritatively for that zone. If they are
asked for a <name, type, class> tuple that isn't in the prodigy.net.mx
domain, they return SERVFAIL. This might be a bug in 8.1.2. [Who
cares? It's long dead.] Or it could be that the servers attempt to
resolve those queries, find the zone's NS records point at themselves
and then give up with a SERVFAIL.

I've Cc'ed the SOA RNAME contact for this zone so hopefully someone
there will fix the problem of the non-authoritative answers and
upgrade their name servers.

[Mark_A...@isc.org]

>
> <9lllja$8...@pub3.rc.vix.com> divulged:

>
> >This might be a bug in 8.1.2. [Who cares? It's long dead.]
>

> perhaps long dead from a coding or distribution perspective, but all too
> alive on the net -- and for that reason i care somewhat (as in how does
> it's failure modes affect me and mine, mostly).
>
> --
> okay, have a sig then
>

8.1.2 well happily serve AAAA records. This in nothing more that
the operator not correcting zone errors.

Mark

; <<>> DiG 8.3 <<>> soa prodigy.net.mx @dns.uninet.net.mx
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; prodigy.net.mx, type = SOA, class = IN

;; ANSWER SECTION:
prodigy.net.mx. 5M IN SOA dns.uninet.net.mx. dns-adm.uninet.net.mx. (
20010806 ; serial
23h20m ; refresh
1H ; retry
1W ; expiry
5M ) ; minimum

;; Total query time: 326 msec
;; FROM: drugs.dv.isc.org to SERVER: dns.uninet.net.mx 200.33.150.193
;; WHEN: Mon Aug 20 09:21:28 2001
;; MSG SIZE sent: 32 rcvd: 93

--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.A...@isc.org

[Barry Finkel]

I have seen lots of the sircam virus that has a return path of

prodigy.net.mx

even though the mail did not originate from there. I have seen the
userid portion of the return address contaim multiple cntl-a characters.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-9689
Building 221, Room B236 Internet: BSFi...@anl.gov
Argonne, IL 60439-4844 IBMMAIL: I1004994

[those who know me have no need of my name]

[f-us set. again the more appropriate to n.a.n-a.e and comp.virus groups
aren't safe to cross-post to as i should]

<9lr7h3$1...@pub3.rc.vix.com> divulged:

>I have seen lots of the sircam virus that has a return path of
>
> prodigy.net.mx
>
>even though the mail did not originate from there.

i've seen plenty of open-relay type traffic through them. plus it's coded
into the worm ...

,----[from <http://www.sarc.com/avcenter/venc/data/w32.sir...@mm.html>]
| If no email account exists, then the current user name will be
| prepended to "prodigy.net.mx", eg if the current user logged on as
| JSmith, then the address will be "jsm...@prodigy.net.mx". Then the
| worm will attempt to connect to a mail server. This will be either the
| mail server taken from the registry, or one of
|
| * prodigy.net.mx
| * goeke.net
| * enlace.net
| * dobleclick.com.mx
`----

>I have seen the
>userid portion of the return address contaim multiple cntl-a characters.

a bug in the worm.