Re: [DNG] Listserver configuration
If the name server receives a question via UDP, that's how it will answer, necessarily. The client could have asked via TCP, but it doesn't know how large the response will be when it sends the question. The general intention here is that the client will receive either an ICMP message or a reply, if no reply arrives (some people firewall away ICMP in the name of safety), the client is supposed to time out and retry via TCP, but that timeout can be too slow. Last time I ran into that the upper-level protocol timed out the DNS query before the DNS library switched to TCP. Arnt ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Am 2017-07-05 11:51, schrieb Rick Moen: Glad to hear it! I've been too early pleased - problem still exists. I now forward dyne.org to Google DNS. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Am 2017-07-05 10:47, schrieb Rick Moen: edns-buffer-size: ... tation reassembly problems, usually seen as timeouts, then a value of 1480 can fix it. I did some more tests (ping ns.dyne.org with different packet sizes) and found that 1480 is still to large. The limit is somewhere between 1460 and 1480. I now use 1400 for the buffer-size. Jochen ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Quoting Joachim Fahrner (j...@fahrner.name): > Looks like that solved it. Same problem is described here: > https://serverfault.com/questions/405650/why-are-these-udp-packets-being-dropped Glad to hear it! > But shouldn't DNSSEC use tcp instead of udp? Only if the response is larger than the maximum UDP size. https://serverfault.com/questions/404840/when-do-dns-queries-use-tcp-instead-of-udp ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Am 2017-07-05 10:47, schrieb Rick Moen: edns-buffer-size: Number of bytes size to advertise as the EDNS reassembly buffer size. This is the value put into datagrams over UDP towards peers. The actual buffer size is determined by msg-buffer-size (both for TCP and UDP). Do not set higher than that value. Default is 4096 which is RFC recommended. If you have fragmen- tation reassembly problems, usually seen as timeouts, then a value of 1480 can fix it. Looks like that solved it. Same problem is described here: https://serverfault.com/questions/405650/why-are-these-udp-packets-being-dropped Large udp packets are dropped on its way. But shouldn't DNSSEC use tcp instead of udp? Jochen ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Quoting Joachim Fahrner (j...@fahrner.name): > Am 2017-07-05 09:43, schrieb Joachim Fahrner: > > >Jul 5 09:37:46 server unbound: [22751:0] info: NSEC3s for the > >referral proved no DS. > > Could it be that my problem has to do with DNSSEC? Obviously, you could test this hypothesis by disabling DNSSEC support for testing purposes. I tend to think 'no', however. I hesitate to suggest this, because the resemblance to flailing around changing things without a credible theory is uncomfortably close, _but_, it's possible you might need to tweak timeout settings in unbound.conf. E.g.: edns-buffer-size: Number of bytes size to advertise as the EDNS reassembly buffer size. This is the value put into datagrams over UDP towards peers. The actual buffer size is determined by msg-buffer-size (both for TCP and UDP). Do not set higher than that value. Default is 4096 which is RFC recommended. If you have fragmen- tation reassembly problems, usually seen as timeouts, then a value of 1480 can fix it. https://www.unbound.net/documentation/unbound.conf.html You'll want to look broadly at option documentation, and look at this page carefully. https://www.unbound.net/documentation/info_timeout.html Part of what makes me uneasy is: Why just on one domain, and (AFAIK) just on your Unbound instance? ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Am 2017-07-05 09:43, schrieb Joachim Fahrner: Jul 5 09:37:46 server unbound: [22751:0] info: NSEC3s for the referral proved no DS. Could it be that my problem has to do with DNSSEC? ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Am 2017-07-05 09:24, schrieb Joachim Fahrner: I now increased unbounds verbosity and see if there is further information in the log. Some more info. unbounds verbosity level is now 2. I did a "dig tupac2.dyne.org", which had a timeout. This is in the log: Jul 5 09:37:29 server unbound: [22751:0] info: resolving tupac2.dyne.org. A IN Jul 5 09:37:29 server unbound: [22751:0] info: resolving ns2.dyne.org. A IN Jul 5 09:37:29 server unbound: [22751:0] info: resolving ns3.dyne.org. A IN Jul 5 09:37:29 server unbound: [22751:0] info: resolving ns.dyne.org. A IN Jul 5 09:37:46 server unbound: [22751:0] info: resolving ns.dyne.org. A IN Jul 5 09:37:46 server unbound: [22751:0] info: response for ns.dyne.org. A IN Jul 5 09:37:46 server unbound: [22751:0] info: reply from 199.249.120.1#53 Jul 5 09:37:46 server unbound: [22751:0] info: query response was REFERRAL Jul 5 09:37:46 server unbound: [22751:0] info: response for ns.dyne.org. A IN Jul 5 09:37:46 server unbound: [22751:0] info: reply from 178.21.114.142#53 Jul 5 09:37:46 server unbound: [22751:0] info: query response was ANSWER Jul 5 09:37:46 server unbound: [22751:0] info: response for tupac2.dyne.org. A IN Jul 5 09:37:46 server unbound: [22751:0] info: reply from 188.166.98.127#53 Jul 5 09:37:46 server unbound: [22751:0] info: query response was ANSWER Jul 5 09:37:46 server unbound: [22751:0] info: NSEC3s for the referral proved no DS. Jul 5 09:37:46 server unbound: [22751:0] info: Verified that unsigned response is INSECURE Jul 5 09:37:57 server unbound: [22751:0] info: response for ns3.dyne.org. A IN Jul 5 09:37:57 server unbound: [22751:0] info: reply from 188.166.98.127#53 Jul 5 09:37:57 server unbound: [22751:0] info: query response was ANSWER Jul 5 09:37:57 server unbound: [22751:0] info: response for ns2.dyne.org. A IN Jul 5 09:37:57 server unbound: [22751:0] info: reply from 188.166.98.127#53 Jul 5 09:37:57 server unbound: [22751:0] info: query response was ANSWER The response from dyne.org took 9 seconds! Jochen ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Quoting Joachim Fahrner (j...@fahrner.name): > There are no errors in the unbound log. And I'm wondering why these > timeouts are only with dyne.org. I never had such failures with > other domains since years. Maybe there is a problem in my providers > network, but then that should happen with ANY domain, not only > dyne.org. Yes, that's a puzzle. Just to give you an additional data point, I ran 10 iterations against each of the three authoritative nameservers directly from linuxmafia.com's command line, and got no timeouts. [rick@linuxmafia] ~ $ /tmp/do 2017062500 on ns.dyne.org. 2017062500 on ns2.dyne.org. 2017062500 on ns3.dyne.org. 2017062500 on ns.dyne.org. 2017062500 on ns2.dyne.org. 2017062500 on ns3.dyne.org. 2017062500 on ns.dyne.org. 2017062500 on ns2.dyne.org. 2017062500 on ns3.dyne.org. 2017062500 on ns.dyne.org. 2017062500 on ns2.dyne.org. 2017062500 on ns3.dyne.org. 2017062500 on ns.dyne.org. 2017062500 on ns2.dyne.org. 2017062500 on ns3.dyne.org. 2017062500 on ns.dyne.org. 2017062500 on ns2.dyne.org. 2017062500 on ns3.dyne.org. 2017062500 on ns.dyne.org. 2017062500 on ns2.dyne.org. 2017062500 on ns3.dyne.org. 2017062500 on ns.dyne.org. 2017062500 on ns2.dyne.org. 2017062500 on ns3.dyne.org. 2017062500 on ns.dyne.org. 2017062500 on ns2.dyne.org. 2017062500 on ns3.dyne.org. 2017062500 on ns.dyne.org. 2017062500 on ns2.dyne.org. 2017062500 on ns3.dyne.org. [rick@linuxmafia] ~ $ cat /tmp/do #!/bin/sh dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." }' dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on ns2.dyne.org." }' dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on ns3.dyne.org." }' sleep 5 dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." }' dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on ns2.dyne.org." }' dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on ns3.dyne.org." }' sleep 5 dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." }' dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on ns2.dyne.org." }' dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on ns3.dyne.org." }' sleep 5 dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." }' dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on ns2.dyne.org." }' dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on ns3.dyne.org." }' sleep 5 dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." }' dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on ns2.dyne.org." }' dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on ns3.dyne.org." }' sleep 5 dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." }' dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on ns2.dyne.org." }' dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on ns3.dyne.org." }' sleep 5 dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." }' dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on ns2.dyne.org." }' dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on ns3.dyne.org." }' sleep 5 dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." }' dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on ns2.dyne.org." }' dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on ns3.dyne.org." }' sleep 5 dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." }' dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on ns2.dyne.org." }' dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on ns3.dyne.org." }' sleep 5 dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." }' dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on ns2.dyne.org." }' dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on ns3.dyne.org." }' [rick@linuxmafia] ~ $ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Am 2017-07-05 09:08, schrieb Rick Moen: So, in general terms, I certainly encourage your approach. It's not obvious from present evidence why you are getting timeouts querying your local recursive nameserver. You'll have to do further diagnosis locally. (Lacking any better ideas at the moment, I'd say maybe start by looking at Unbound's log files.) There are no errors in the unbound log. And I'm wondering why these timeouts are only with dyne.org. I never had such failures with other domains since years. Maybe there is a problem in my providers network, but then that should happen with ANY domain, not only dyne.org. I now increased unbounds verbosity and see if there is further information in the log. Jochen ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Quoting Joachim Fahrner (j...@fahrner.name): > That's right. And my local unbound is the only nameserver in > /etc/resolv.conf > > I cannot use other nameservers because my postfix queries some RBLs > that allow only limited numbers of queries (they are free for > personal use, but costs for commercial use). I'm a big fan of running a local recursive nameserver, and of Unbound. So, in general terms, I certainly encourage your approach. It's not obvious from present evidence why you are getting timeouts querying your local recursive nameserver. You'll have to do further diagnosis locally. (Lacking any better ideas at the moment, I'd say maybe start by looking at Unbound's log files.) You _could_ add some additional recursive nameservers (like perhaps your ISP's) on additional lines below the 'nameserver 127.0.0.1' one -- knowing that they'll be used only if your Unbound instance for some reason isn't responding. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Am 2017-07-05 08:51, schrieb Rick Moen: I believe you said that you are running an instance of Unbound as a local recursive nameserver. If so, I hope you are listing it first in /etc/resolv.conf (perhaps by localhost IP). Anyway, that's where you should start looking, to find your problem. That's right. And my local unbound is the only nameserver in /etc/resolv.conf I cannot use other nameservers because my postfix queries some RBLs that allow only limited numbers of queries (they are free for personal use, but costs for commercial use). Jochen ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Quoting Joachim Fahrner (j...@fahrner.name): > By now it comes apparent that timeouts from the dns servers are the > problem: Well... hold that thought, please. > Can the short SOA EXPIRE be the cause? No. SOA EXPIRE is how long a secondary nameserver will still treat its copy of the zone data as valid if it can't contact the primary nameserver. It's a setting affecting zone transfers (IXFR and AXFR protocols) only, between nameservers doing primary nameservice for a zone. It has nothing to do with queries. > -- > $ dig tupac2.dyne.org > > ; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org > ;; global options: +cmd > ;; connection timed out; no servers could be reached Problem: You didn't say what nameserver to query ('@' parameter). Quoting the dig man page: Unless it is told to query a specific name server, dig will try each of the servers listed in /etc/resolv.conf. Presumably, your /etc/resolv.conf has a list of recursive nameservers that the local resolver library is intended to query. With the above-cited command, dig will attempt each of those in order, and error out if none of them replies. Therefore, your problem is somewhere there. It has no particular connection to the remote domain. I believe you said that you are running an instance of Unbound as a local recursive nameserver. If so, I hope you are listing it first in /etc/resolv.conf (perhaps by localhost IP). Anyway, that's where you should start looking, to find your problem. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Am 2017-07-05 00:18, schrieb Rick Moen: On a quick, broad check, dyne.org DNS seems robust. There are three network-diverse authoritative nameservers (refreshing to see after observing far too many domains attempting to get by with two, when RFCs require 3-7 auth nameservers[1]), all returning correct responses on both UDP and TCP. The SOA EXPIRE value (86400 seconds) is too short. RFC 1912 section 2.2 suggests a value between 1209600 and 2419200. You are right, the configuration seems ok. A good checking tool is IntoDNS: https://intodns.com/dyne.org They mention the same, SOA EXPIRE value is too low. By now it comes apparent that timeouts from the dns servers are the problem: -- $ dig tupac2.dyne.org ; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org ;; global options: +cmd ;; connection timed out; no servers could be reached $ dig tupac2.dyne.org ; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37556 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;tupac2.dyne.org.INA ;; ANSWER SECTION: tupac2.dyne.org.300INA178.62.188.7 ;; AUTHORITY SECTION: dyne.org.900INNSns.dyne.org. dyne.org.900INNSns2.dyne.org. dyne.org.900INNSns3.dyne.org. ;; ADDITIONAL SECTION: ns.dyne.org.300INA188.166.98.127 ns2.dyne.org.300INA198.199.70.248 ns3.dyne.org.300INA178.21.114.142 ;; Query time: 657 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jul 04 17:22:16 CEST 2017 ;; MSG SIZE rcvd: 161 -- Can the short SOA EXPIRE be the cause? Jochen ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Quoting Joachim Fahrner (j...@fahrner.name): > Normally name resolution works fine, and tupac2.dyne.org is the only > server with such errors in my postfix log. I'm using unbound on > Devuan as a local caching recursive dns server. Good choice. > Could it be that dyne.org name servers have temporary connection > problems? On a quick, broad check, dyne.org DNS seems robust. There are three network-diverse authoritative nameservers (refreshing to see after observing far too many domains attempting to get by with two, when RFCs require 3-7 auth nameservers[1]), all returning correct responses on both UDP and TCP. The SOA EXPIRE value (86400 seconds) is too short. RFC 1912 section 2.2 suggests a value between 1209600 and 2419200. I personally tend to go with 2419200 = 28 days. (This SOA subfield denotes how long a secondary will still treat its copy of the zone data as valid if it can't contact the primary.) I can't exclude the possiblility that one or two of the three auth nameservers occasionally flakes out, though that seems a-priori less likely than some other cause. The DNS as a whole seems very competently administered (and I'm persnickety about such things). There are two small nitpicks I would make, that I hope would slightly improve the domain's service: 1. Arguably it's a slight security error to permit the three nameservers to give accurate responses when asked for their software versions. I mean like this: $ dig +short @ns.dyne.org dyne.org version.bind txt chaos 178.62.255.220 "9.9.5-9+deb8u11-Debian" $ dig +short @ns2.dyne.org dyne.org version.bind txt chaos 178.62.255.220 "9.9.5-9+deb8u10-Debian" $ dig +short @ns3.dyne.org dyne.org version.bind txt chaos 178.62.255.220 "9.9.5-9+deb8u11-Debian" $ Compare my five auth nameservers for linuxmafia.com: $ dig +short @ns1.linuxmafia.com linuxmafia.com version.bind txt chaos 198.144.195.186 "Shirley, you're joking" [rick@linuxmafia] $ dig +short @ns.primate.net linuxmafia.com version.bind txt chaos 198.144.195.186 [rick@linuxmafia] $ dig +short @ns1.thecoop.net linuxmafia.com version.bind txt chaos 198.144.195.186 "Puddin Tane, ask me again, I'll tell you the same." [rick@linuxmafia] $ dig +short @ns.tx.primate.net linuxmafia.com version.bind txt chaos 198.144.195.186 [rick@linuxmafia] $ dig +short @ns3.linuxmafia.com linuxmafia.com version.bind txt chaos 198.144.195.186 "none" $ Example setup snippet from BIND9's Options stanza (on ns1.linuxmafia.com's /etc/bind/named.conf.options) to curtail reporting of the VERSION.BIND reference record in the CHAOS class: version "Shirley, you're joking"; hostname"ns1.linuxmafia.com"; There are three RRs in the CHAOS class defined by RFC 4892: VERSION.BIND, ID.SERVER, and HOSTNAME.BIND. The above two option lines define two of the three. The third (ID.SERVER) fortunately defaults to null ('none'), but can be explicitly defined, too, which is why I have these comment lines to note the fact: //server-id is essentially redundant to hostname, default is none //server-id none; Similar steps can and should be taken in NSD and other good authoritative nameservers to control information leakage, IMO.[2] 2. The two MXes both refuse delivery of mail addressed to the RFC-mandated abuse address. 50 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table Because dyne.org accepts SMTP mail, RFC2142 Section 2 requires that the domain accept mail addressed to ab...@dyne.org . Additionally, some domains will consider suspcious any mail domain that fails RFC-compliance testing including acceptance of mail addressed to the postmaster or abuse accounts. IMO, abuse@ is every bit as mandatory as postmaster@ is, for SMTP-receiving domains. Again, overall, the dyne.org DNS strikes me as excellent. [1] Reference for minimum 3: RFC2182 section 5. Reference for maximum 7: RFC1912 section 2.8. [2] Hiding version numbers doesn't actually protect anything, but giving attackers that information for free is never a good idea, and on the public Internet there seems to be no legitimate purpose for providing accurate values. (If there is, I've not seen it.) ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Am 2017-07-04 18:27, schrieb Alessandro Selli: I'm afraid this has to do with the DNS server you're using (;; SERVER: 127.0.0.1#53(127.0.0.1), that is), as I get these values: Enter "dyne.org" here: http://www.dnsqueries.com/en/dns_lookup.php and select "ALL". That delivers the same results than my dns server. That seems location dependend, so I assume this is delivered through a CDN. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Am 2017-07-04 18:27, schrieb Alessandro Selli: I'm afraid this has to do with the DNS server you're using (;; SERVER: 127.0.0.1#53(127.0.0.1), that is), as I get these values: [alessandro@draco ~]$ dig tupac2.dyne.org ; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19560 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;tupac2.dyne.org. IN A ;; ANSWER SECTION: tupac2.dyne.org.300 IN A 178.62.188.7 ;; AUTHORITY SECTION: dyne.org. 86400 IN NS ns2.dyne.org. dyne.org. 86400 IN NS ns3.dyne.org. dyne.org. 86400 IN NS ns.dyne.org. ;; ADDITIONAL SECTION: ns.dyne.org.86400 IN A 188.166.98.127 ns.dyne.org.86400 IN 2a03:b0c0:2:d0::95:e001 ns2.dyne.org. 86400 IN A 198.199.70.248 ns2.dyne.org. 86400 IN 2604:a880:400:d0::27:4001 ns3.dyne.org. 86400 IN A 178.21.114.142 ;; Query time: 1041 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jul 04 18:19:43 CEST 2017 ;; MSG SIZE rcvd: 217 [alessandro@draco ~]$ Which is consistent with the domain's value of 86400 for the EXPIRE SOA record: [alessandro@draco ~]$ host -t SOA dyne.org dyne.org has SOA record ns.dyne.org. root.dyne.org. 2017062500 7200 3600 86400 900 [alessandro@draco ~]$ Strange. Is there some CDN in between? $ dig @198.199.70.248 tupac2.dyne.org ; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> @198.199.70.248 tupac2.dyne.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51709 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;tupac2.dyne.org. IN A ;; ANSWER SECTION: tupac2.dyne.org.300 IN A 178.62.188.7 ;; AUTHORITY SECTION: dyne.org. 900 IN NS ns3.dyne.org. dyne.org. 900 IN NS ns2.dyne.org. dyne.org. 900 IN NS ns.dyne.org. ;; ADDITIONAL SECTION: ns.dyne.org.300 IN A 188.166.98.127 ns2.dyne.org. 300 IN A 198.199.70.248 ns3.dyne.org. 300 IN A 178.21.114.142 ;; Query time: 87 msec ;; SERVER: 198.199.70.248#53(198.199.70.248) ;; WHEN: Tue Jul 04 19:00:09 CEST 2017 ;; MSG SIZE rcvd: 161 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Am 2017-07-04 15:37, schrieb Alessandro Selli: I really wonder what did mxtoolbox.com check, as I cannot see what dns.org and shockmedia.com have to do with dyne.org: That's strange. Something in my test changed dyne.org magically to dns.org. But that was not me, I used cut ;-) The only explanation I have is, that sometimes there is overload at dyne.org dns servers. The TTL values are really low and prevent mostly caching. $ dig tupac2.dyne.org ; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org ;; global options: +cmd ;; connection timed out; no servers could be reached $ dig tupac2.dyne.org ; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37556 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;tupac2.dyne.org. IN A ;; ANSWER SECTION: tupac2.dyne.org.300 IN A 178.62.188.7 ;; AUTHORITY SECTION: dyne.org. 900 IN NS ns.dyne.org. dyne.org. 900 IN NS ns2.dyne.org. dyne.org. 900 IN NS ns3.dyne.org. ;; ADDITIONAL SECTION: ns.dyne.org.300 IN A 188.166.98.127 ns2.dyne.org. 300 IN A 198.199.70.248 ns3.dyne.org. 300 IN A 178.21.114.142 ;; Query time: 657 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jul 04 17:22:16 CEST 2017 ;; MSG SIZE rcvd: 161 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
On Tue, 04 Jul 2017 at 09:51:55 +0200 Joachim Fahrnerwrote: > Am 2017-07-04 09:39, schrieb Joachim Fahrner: > >> Could it be that dyne.org name servers have temporary connection >> problems? > > When checking dns for tupac2.dyne.org I get 1 error and 3 warnings: > > https://mxtoolbox.com/domain/tupac2.dns.org/ > > E https dns.org The Certificate has a name mismatch > E dns dns.org Primary Name Server Not Listed At Parent > E dmarc dns.org DNS Record not found > E spf dns.org DNS Record not found > W dns dns.org Bad Glue Detected > W dns dns.org Local NS list does not match Parent NS list > W dns dns.org Name Servers are on the Same Subnet > W smtpmail.shockmedia.com Reverse DNS does not contain the > hostname W smtp mail.shockmedia.com Reverse DNS does not > match SMTP Banner W smtp mail.shockmedia.com 5.639 seconds > - Warning on Connection time W smtp mail.shockmedia.com > 12.520 seconds - Not good! on Transaction Time I really wonder what did mxtoolbox.com check, as I cannot see what dns.org and shockmedia.com have to do with dyne.org: [alessandro@draco ~]$ host -t NS dyne.org dyne.org name server ns2.dyne.org. dyne.org name server ns.dyne.org. dyne.org name server ns3.dyne.org. [alessandro@draco ~]$ Actually, I wonder how did you run the test, as I get these results: https://mxtoolbox.com/SuperTool.aspx?action=a%3adyne.org=toolpage# TypeDomain Name IP Address TTL Status Time (ms) AuthParent Local NS ns.dyne.org 188.166.98.127 [Netherlands] Amsterdam, North Holland NL Digital Ocean, Inc. (AS14061)15 min 120 NS ns2.dyne.org198.199.70.248 [United States] North Bergen, New Jersey US Digital Ocean, Inc. (AS14061) 15 min 45 NS ns3.dyne.org178.21.114.142 [Netherlands] NL DirectVPS B.V. (AS29028) 15 min 123 Result SOA Expire Value out of recommended range ns.dyne.org reported Expire 86400 : Expire is recommended to be between 1209600 and 2419200. More Info DNS Record found No Bad Glue Detected At Least Two Name Servers Found All name servers are responding All of the name servers are Authoritative Local NS list matches Parent NS list Name Servers appear to be Dispersed Name Servers have Public IP Addresses Serial numbers match 2017062500 Primary Name Server Listed At Parent SOA Serial Number Format appears valid SOA Refresh Value is within the recommended range SOA Retry Value is within the recommended range SOA Minimum TTL Value is within allowed values No Open Recursive Name Server Detected No Open Zone TransferMore Info -- Alessandro Selli http://alessandro.route-add.net VOIP SIP: dhatarat...@ekiga.net Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Am 2017-07-04 09:39, schrieb Joachim Fahrner: Could it be that dyne.org name servers have temporary connection problems? When checking dns for tupac2.dyne.org I get 1 error and 3 warnings: https://mxtoolbox.com/domain/tupac2.dns.org/ E https dns.org The Certificate has a name mismatch E dns dns.org Primary Name Server Not Listed At Parent E dmarc dns.org DNS Record not found E spf dns.org DNS Record not found W dns dns.org Bad Glue Detected W dns dns.org Local NS list does not match Parent NS list W dns dns.org Name Servers are on the Same Subnet W smtp mail.shockmedia.com Reverse DNS does not contain the hostname W smtp mail.shockmedia.com Reverse DNS does not match SMTP Banner W smtp mail.shockmedia.com 5.639 seconds - Warning on Connection time W smtp mail.shockmedia.com 12.520 seconds - Not good! on Transaction Time ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Am 2017-07-03 22:27, schrieb Gregory Nowak: I'm not seeing this here, and the A record for tupac2.dyne.org resolves correctly. Could there be a DNS issue on your end perhaps? Normally name resolution works fine, and tupac2.dyne.org is the only server with such errors in my postfix log. I'm using unbound on Devuan as a local caching recursive dns server. Could it be that dyne.org name servers have temporary connection problems? I just did several tries and got: $ host tupac2.dyne.org ;; connection timed out; no servers could be reached $ host tupac2.dyne.org tupac2.dyne.org has address 178.62.188.7 BTW: why is the TTL so short (300 secs)? Maybe that's a problem? Jochen ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
Hi there, On Mon, 3 Jul 2017, Antony Stone wrote: On Monday 03 July 2017 at 22:27:44, Gregory Nowak wrote: > On Mon, Jul 03, 2017 at 07:09:29PM +0200, Joachim Fahrner wrote: > > > I get lots of those errors in my postfix log: > > > > Jul 3 18:09:16 server postfix/smtpd[2840]: NOQUEUE: reject: RCPT > > from tupac2.dyne.org[178.62.188.7]: 450 4.7.1 : > > Helo command rejected: Host not found; > > from=to= proto=ESMTP > > helo= > > > > Is there some configuration problem with the list mail server? > > I'm not seeing this here, and the A record for tupac2.dyne.org > resolves correctly. Could there be a DNS issue on your end perhaps? tupac2.dyne.org resolves here perfectly well too, however surely the problem being reported by that error message is that the machine tupac2.dyne.org cannot resolve fahrner.name (which also resolves here perfectly okay)? No, the issue does seem to at or before the 'helo' command stage, but the error message isn't terribly clear to me because I'm a Sendmail user. :/ Whatever isn't found (presumably not found by the DNS server which Postfix is using) it isn't the envelope recipient, which has not been established at the 'helo' stage. The nameservers for dyne.org look fine, and I see no problems (in the UK, with Sendmail & BIND). In a case like this I'd look at my nameserver logs. If you don't use a local nameserver you could set up a caching-only server just so it can log things. That might even fix the probelm. :) Alternatively you could run a tool like tcpdump to record the traffic and then display it e.g. with Ethereal. -- 73, Ged. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
On Monday 03 July 2017 at 22:27:44, Gregory Nowak wrote: > On Mon, Jul 03, 2017 at 07:09:29PM +0200, Joachim Fahrner wrote: > > I get lots of those errors in my postfix log: > > > > Jul 3 18:09:16 server postfix/smtpd[2840]: NOQUEUE: reject: RCPT > > from tupac2.dyne.org[178.62.188.7]: 450 4.7.1 : > > Helo command rejected: Host not found; > > from=to= proto=ESMTP > > helo= > > > > Is there some configuration problem with the list mail server? > > I'm not seeing this here, and the A record for tupac2.dyne.org > resolves correctly. Could there be a DNS issue on your end perhaps? tupac2.dyne.org resolves here perfectly well too, however surely the problem being reported by that error message is that the machine tupac2.dyne.org cannot resolve fahrner.name (which also resolves here perfectly okay)? Antony. -- Roses are red, Bacon is too, Poetry's hard, Bacon. with thanks to Claire Davison Please reply to the list; please *don't* CC me. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Listserver configuration
On Mon, Jul 03, 2017 at 07:09:29PM +0200, Joachim Fahrner wrote: > I get lots of those errors in my postfix log: > > Jul 3 18:09:16 server postfix/smtpd[2840]: NOQUEUE: reject: RCPT > from tupac2.dyne.org[178.62.188.7]: 450 4.7.1 : > Helo command rejected: Host not found; > from=to= proto=ESMTP > helo= > > Is there some configuration problem with the list mail server? I'm not seeing this here, and the A record for tupac2.dyne.org resolves correctly. Could there be a DNS issue on your end perhaps? Greg -- web site: http://www.gregn.net gpg public key: http://www.gregn.net/pubkey.asc skype: gregn1 (authorization required, add me to your contacts list first) If we haven't been in touch before, e-mail me before adding me to your contacts. -- Free domains: http://www.eu.org/ or mail dns-mana...@eu.org ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Listserver configuration
Hello, I get lots of those errors in my postfix log: Jul 3 18:09:16 server postfix/smtpd[2840]: NOQUEUE: reject: RCPT from tupac2.dyne.org[178.62.188.7]: 450 4.7.1 : Helo command rejected: Host not found; from=to= proto=ESMTP helo= Is there some configuration problem with the list mail server? Jochen ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng