On Mon, Mar 04, 2013 at 12:31:08PM -0600, Blake Hudson wrote: > KSB wrote the following on 3/4/2013 12:13 PM: > >On 2013.03.04. 20:06, Blake Hudson wrote: > >>Just hoping to get a consensus on this. Postfix is stating that a > >>host (in fact several hosts from the same ISP) does not have > >>rDNS, because our DNS (Bind 9.8) returns SERVFAIL when looking up > >>a PTR record for it. The IP in question is 63.171.0.212. From my
See RFC 2317. > >>perspective, this IP does not have a PTR record and as such does > >>not have proper rDNS. Other tools (including older versions of > >>bind) might say otherwise; What do you say? > >>* > >Seems very, very strage... but probably this is allowed, anybody knows? > > > >;; QUESTION SECTION: > >;212.0.171.63.in-addr.arpa. IN PTR > > > >;; ANSWER SECTION: > >212.0.171.63.in-addr.arpa. 86400 IN CNAME > >63.171.0.212.cust.lkq.sprintlink.net. > >63.171.0.212.cust.lkq.sprintlink.net. 86400 IN PTR mail1.lkqcorp.com. It's fine. As to why your named is returning SERVFAIL, that is another issue. Obviously a SERVFAIL will prevent it from being resolved. I get the SERVFAIL as well: Mar 4 12:51:36 chestnut named[1811]: error (chase DS servers) resolving 'cust.lkq.sprintlink.net/DS/IN': 144.228.254.10#53 Mar 4 12:51:36 chestnut named[1811]: error (insecurity proof failed) resolving 'lkq.sprintlink.net/NS/IN': 144.228.255.10#53 Mar 4 12:51:36 chestnut named[1811]: error (insecurity proof failed) resolving 'lkq.sprintlink.net/NS/IN': 206.228.179.10#53 Mar 4 12:51:36 chestnut named[1811]: error (insecurity proof failed) resolving 'lkq.sprintlink.net/NS/IN': 144.228.254.10#53 Mar 4 12:51:36 chestnut named[1811]: error (no valid DS) resolving '63.171.0.212.cust.lkq.sprintlink.net/PTR/IN': 144.228.254.10#53 This is a problem with the DNSSEC signing. > OK, so we ask for a PTR on 212.0.171.63.in-addr.arpa and instead > receive a CNAME (with additional). Did anyone notice that the CNAME > does not resolve? > > -- > > # dig @ns1-auth.sprintlink.net 63.171.0.212.cust.lkq.sprintlink.net You're doing a default query type, for "A". > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.4 <<>> > @ns1-auth.sprintlink.net 63.171.0.212.cust.lkq.sprintlink.net > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7207 NOERROR means that the name exists, but there is no data of the requested type, A. It's wrong to assume that all names in the DNS should have A records. > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;63.171.0.212.cust.lkq.sprintlink.net. IN A > > ;; AUTHORITY SECTION: > cust.lkq.sprintlink.net. 7200 IN SOA ns1-auth.sprintlink.net. > dns-admin.sprint.net. 2010080301 43200 3600 2419200 7200 > > ;; Query time: 50 msec > ;; SERVER: 206.228.179.10#53(206.228.179.10) > ;; WHEN: Mon Mar 4 12:04:25 2013 > ;; MSG SIZE rcvd: 116 > > -- -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
