Re: T_ANY

2010-03-20 Thread Glenn English 

On Mar 20, 2010, at 10:12 AM, Florian Weimer wrote:

 Have you compiled qmail yourself?  

Thanks, Florian, but it's fixed. The problem was that my PIX firewall's IDS 
blocks T_ANY queries by default, and Yahoo's qmail does T_ANY queries. I turned 
the block off in the PIX.

I'm told that qmail 'always' does that. But I know it doesn't because some mail 
from Yahoo has gotten through -- maybe not all Yahoo servers are qmail; maybe 
some have applied the patch you suggested; maybe there's an undocumented 'phase 
of the moon' var in the PIX' IDS. I don't know. Just why qmail reports a T_ANY 
failure as a CNAME failure, I also don't know.

-- 
Glenn English
g...@slsware.com



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

T_ANY

2010-03-19 Thread Glenn English 
I posted this to the postfix users list:

One of my users had problems receiving from Yahoo a couple days ago. The sender 
(in FLA) got this:

 From: mailer-dae...@yahoo.com mailer-dae...@yahoo.com
 To: xx...@yahoo.com
 Sent: Sun, March 7, 2010 5:51:09 PM
 Subject: failure notice
 
 Hi. This is the qmail-send program at yahoo.com.
 I'm afraid I wasn't able to deliver your message to the following addresses.
 This is a permanent error; I've given up. Sorry it didn't work out.
 
 xx...@slsware.com:
 CNAME lookup failed temporarily. (#4.4.3)
 I'm not going to try again; this message has been in the queue too long.

I got responses saying that the problem was that my DNS ignores 

'dig @ns1.slsware.com -t any slsware.com' (or 'dig +trace -t any slsware.com')

and indeed it does, from outside. From inside it's fine, and '-t MX' works from 
anywhere. Yahoo's MTA (qmail) does T_ANY lookups, so it thinks there's nobody 
home at my nameserver. But I can't get anybody over on the postfix list to 
suggest what might be wrong. I spent the morning with google, and couldn't find 
anything that looked like it might be the answer.

The obvious answer is firewalling, but I don't think that's it. A query from 
inside goes through the same PIX firewall as would a query from outside; the 
pix is configured no fixup protocol dns; I don't think IOS in the router 
knows anything about what type of DNS query is coming in; and the same query to 
the other nameserver ('dig @ns1.richeyrentals.com -t any slsware.com') also 
fails. That one's also behind a PIX, but has a non-IOS router.

Both servers are Debian lenny, 'named -v' says BIND 9.5.1-P3, and bind's config 
check says it's OK. But it has nothing to do with any of that, I think, because 
the query works from inside.

Any ideas?
 
-- 
Glenn English
g...@slsware.com



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: T_ANY

2010-03-19 Thread Glenn English 

On Mar 19, 2010, at 3:35 PM, Kevin Oberman wrote:

 PIX, you say? They used to have a problem with DNS UDP packets over 512
 bytes. (Well, it didn't have a problem, it just blocked them. I'm not
 sure what, if any code version fixes this. (I don't have any these days.)

6.3 fixed it. The command is fixup protocol dns min_length nnn. 

It was indeed the PIX, though ip audit signature 6053 disable allows T_ANY 
DNS queries. By default sig 6053 blocks T_ANY on the outside interface...

Thank you all for your suggestions.

-- 
Glenn English
g...@slsware.com



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users