> On Mar 17, 2017, at 12:08 PM, James B. Byrne <byrn...@harte-lyne.ca> wrote:
>
> Mar 17 11:39:47 inet08 policyd-spf[13505]: Temperror; identity=helo;
> client-ip=69.89.30.42; helo=gproxy3-pub.mail.unifiedlayer.com;
> envelope-from=p...@thecargosolutionscanada.com;
> receiver=b...@harte-lyne.ca
> . . .
> Mar 17 11:42:52 inet08 policyd-spf[13032]: Temperror; identity=helo;
> client-ip=168.100.1.4; helo=russian-caravan.cloud9.net;
> envelope-from=owner-postfix-us...@postfix.org;
> receiver=b...@harte-lyne.ca
> . . .
> Mar 17 11:51:36 inet08 policyd-spf[13709]: Temperror; identity=helo;
> client-ip=66.135.215.173; helo=mxslcpool71.ebay.com;
> envelope-from=e...@ebay.com; receiver=b...@harte-lyne.ca
>
> They cannot all be suddenly affected by a DNS outage?
Well, just today a notice was posted by the RIPE NCC (see below
my signature) announcing an outage in reverse delegations from
ARIN to RIPE. It is not clear whether that could contribute to
tempfails in your SPF policy daemon (I'd rather expect spurious
NXDOMAIN results for PTR lookups), but bulk outages can certainly
happen.
Enable more detailed logging in the SPF policy daemon and perhaps
also your resolver.
--
Viktor.
Dear colleagues,
Between 17:00 UTC yesterday and 10:00 UTC today, we had an issue that
affected some reverse DNS delegations. The delegations in the
RIPE Database where the parent zone is operated by ARIN were affected.
RIPE NCC publishes zonelet files containing these delegations, and these
are picked up by ARIN's DNS provisioning system periodically. At the end
of these zonelet files is a summary of the counts of various types of
DNS records. A bug in our code accidentally published these summaries
with zero counts, and as a result, the ARIN DNS provisioning system
appears to have removed the delegations.
We have corrected this bug, and the zonelet files now contain the
correct counts. They have been published on the RIPE NCC FTP server, and
ARIN's DNS provisioning system has picked them up and reintroduced the
delegations.
We apologise for any inconvenience caused by this. This is the first
time that such an issue has occurred with delegations that are exchanged
by the zonelet mechanism, and we will try to engineer monitoring to
prevent such an outage in the future.
RIPE NCC's delegations in the following ARIN-operated zones were
affected. The majority of the other delegations in these zones come from
ARIN and the other registries, and were not affected.
104.in-addr.arpa.
107.in-addr.arpa.
128.in-addr.arpa.
129.in-addr.arpa.
130.in-addr.arpa.
131.in-addr.arpa.
132.in-addr.arpa.
134.in-addr.arpa.
135.in-addr.arpa.
136.in-addr.arpa.
137.in-addr.arpa.
138.in-addr.arpa.
139.in-addr.arpa.
13.in-addr.arpa.
140.in-addr.arpa.
143.in-addr.arpa.
144.in-addr.arpa.
146.in-addr.arpa.
147.in-addr.arpa.
148.in-addr.arpa.
149.in-addr.arpa.
152.in-addr.arpa.
156.in-addr.arpa.
157.in-addr.arpa.
158.in-addr.arpa.
159.in-addr.arpa.
160.in-addr.arpa.
161.in-addr.arpa.
164.in-addr.arpa.
165.in-addr.arpa.
166.in-addr.arpa.
168.in-addr.arpa.
169.in-addr.arpa.
170.in-addr.arpa.
173.in-addr.arpa.
198.in-addr.arpa.
199.in-addr.arpa.
206.in-addr.arpa.
209.in-addr.arpa.
216.in-addr.arpa.
23.in-addr.arpa.
24.in-addr.arpa.
45.in-addr.arpa.
52.in-addr.arpa.
65.in-addr.arpa.
66.in-addr.arpa.
