Re: [DNG] Listserver configuration

[Arnt Gulbrandsen]

If the name server receives a question via UDP, that's how it will answer, 
necessarily. The client could have asked via TCP, but it doesn't know how 
large the response will be when it sends the question.


The general intention here is that the client will receive either an ICMP 
message or a reply, if no reply arrives (some people firewall away ICMP in 
the name of safety), the client is supposed to time out and retry via TCP, 
but that timeout can be too slow. Last time I ran into that the upper-level 
protocol timed out the DNS query before the DNS library switched to TCP.


Arnt

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Joachim Fahrner]

Am 2017-07-05 11:51, schrieb Rick Moen:

Glad to hear it!


I've been too early pleased - problem still exists. I now forward 
dyne.org to Google DNS.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Joachim Fahrner]

Am 2017-07-05 10:47, schrieb Rick Moen:

   edns-buffer-size: 
  ...
  tation  reassembly  problems,  usually  seen as timeouts, 
then a

  value of 1480 can fix it.



I did some more tests (ping ns.dyne.org with different packet sizes) and 
found that 1480 is still to large. The limit is somewhere between 1460 
and 1480. I now use 1400 for the buffer-size.


Jochen
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Rick Moen]

Quoting Joachim Fahrner (j...@fahrner.name):

> Looks like that solved it. Same problem is described here:
> https://serverfault.com/questions/405650/why-are-these-udp-packets-being-dropped

Glad to hear it!

> But shouldn't DNSSEC use tcp instead of udp?

Only if the response is larger than the maximum UDP size.
https://serverfault.com/questions/404840/when-do-dns-queries-use-tcp-instead-of-udp


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Joachim Fahrner]

Am 2017-07-05 10:47, schrieb Rick Moen:


   edns-buffer-size: 
  Number of bytes size to advertise as the EDNS reassembly 
buffer
  size.   This  is  the  value put into datagrams over UDP 
towards
  peers.  The actual buffer size is determined by 
msg-buffer-size
  (both  for  TCP  and  UDP).   Do not set higher than that 
value.
  Default is 4096 which is RFC recommended.  If you have 
fragmen-
  tation  reassembly  problems,  usually  seen as timeouts, 
then a

  value of 1480 can fix it.


Looks like that solved it. Same problem is described here:
https://serverfault.com/questions/405650/why-are-these-udp-packets-being-dropped

Large udp packets are dropped on its way.

But shouldn't DNSSEC use tcp instead of udp?

Jochen
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Rick Moen]

Quoting Joachim Fahrner (j...@fahrner.name):

> Am 2017-07-05 09:43, schrieb Joachim Fahrner:
> 
> >Jul  5 09:37:46 server unbound: [22751:0] info: NSEC3s for the
> >referral proved no DS.
> 
> Could it be that my problem has to do with DNSSEC?

Obviously, you could test this hypothesis by disabling DNSSEC support
for testing purposes.  I tend to think 'no', however.

I hesitate to suggest this, because the resemblance to flailing around
changing things without a credible theory is uncomfortably close, _but_, 
it's possible you might need to tweak timeout settings in unbound.conf.
E.g.:

   edns-buffer-size: 
  Number of bytes size to advertise as the EDNS reassembly buffer
  size.   This  is  the  value put into datagrams over UDP towards
  peers.  The actual buffer size is determined by msg-buffer-size
  (both  for  TCP  and  UDP).   Do not set higher than that value.
  Default is 4096 which is RFC recommended.  If you have fragmen-
  tation  reassembly  problems,  usually  seen as timeouts, then a
  value of 1480 can fix it.

https://www.unbound.net/documentation/unbound.conf.html

You'll want to look broadly at option documentation, and look at this
page carefully.
https://www.unbound.net/documentation/info_timeout.html

Part of what makes me uneasy is:  Why just on one domain, and (AFAIK)
just on your Unbound instance?


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Joachim Fahrner]

Am 2017-07-05 09:43, schrieb Joachim Fahrner:


Jul  5 09:37:46 server unbound: [22751:0] info: NSEC3s for the
referral proved no DS.


Could it be that my problem has to do with DNSSEC?
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Joachim Fahrner]

Am 2017-07-05 09:24, schrieb Joachim Fahrner:


I now increased unbounds verbosity and see if there is further
information in the log.


Some more info. unbounds verbosity level is now 2. I did a "dig 
tupac2.dyne.org", which had a timeout.

This is in the log:

Jul  5 09:37:29 server unbound: [22751:0] info: resolving 
tupac2.dyne.org. A IN
Jul  5 09:37:29 server unbound: [22751:0] info: resolving ns2.dyne.org. 
A IN
Jul  5 09:37:29 server unbound: [22751:0] info: resolving ns3.dyne.org. 
A IN
Jul  5 09:37:29 server unbound: [22751:0] info: resolving ns.dyne.org. A 
IN
Jul  5 09:37:46 server unbound: [22751:0] info: resolving ns.dyne.org. A 
IN
Jul  5 09:37:46 server unbound: [22751:0] info: response for 
ns.dyne.org. A IN
Jul  5 09:37:46 server unbound: [22751:0] info: reply from  
199.249.120.1#53
Jul  5 09:37:46 server unbound: [22751:0] info: query response was 
REFERRAL
Jul  5 09:37:46 server unbound: [22751:0] info: response for 
ns.dyne.org. A IN
Jul  5 09:37:46 server unbound: [22751:0] info: reply from  
178.21.114.142#53
Jul  5 09:37:46 server unbound: [22751:0] info: query response was 
ANSWER
Jul  5 09:37:46 server unbound: [22751:0] info: response for 
tupac2.dyne.org. A IN
Jul  5 09:37:46 server unbound: [22751:0] info: reply from  
188.166.98.127#53
Jul  5 09:37:46 server unbound: [22751:0] info: query response was 
ANSWER
Jul  5 09:37:46 server unbound: [22751:0] info: NSEC3s for the referral 
proved no DS.
Jul  5 09:37:46 server unbound: [22751:0] info: Verified that unsigned 
response is INSECURE
Jul  5 09:37:57 server unbound: [22751:0] info: response for 
ns3.dyne.org. A IN
Jul  5 09:37:57 server unbound: [22751:0] info: reply from  
188.166.98.127#53
Jul  5 09:37:57 server unbound: [22751:0] info: query response was 
ANSWER
Jul  5 09:37:57 server unbound: [22751:0] info: response for 
ns2.dyne.org. A IN
Jul  5 09:37:57 server unbound: [22751:0] info: reply from  
188.166.98.127#53
Jul  5 09:37:57 server unbound: [22751:0] info: query response was 
ANSWER



The response from dyne.org took 9 seconds!

Jochen
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Rick Moen]

Quoting Joachim Fahrner (j...@fahrner.name):

> There are no errors in the unbound log. And I'm wondering why these
> timeouts are only with dyne.org. I never had such failures with
> other domains since years. Maybe there is a problem in my providers
> network, but then that should happen with ANY domain, not only
> dyne.org.

Yes, that's a puzzle.

Just to give you an additional data point, I ran 10 iterations against
each of the three authoritative nameservers directly from
linuxmafia.com's command line, and got no timeouts.


[rick@linuxmafia]
~ $ /tmp/do
2017062500 on ns.dyne.org.
2017062500 on ns2.dyne.org.
2017062500 on ns3.dyne.org.
2017062500 on ns.dyne.org.
2017062500 on ns2.dyne.org.
2017062500 on ns3.dyne.org.
2017062500 on ns.dyne.org.
2017062500 on ns2.dyne.org.
2017062500 on ns3.dyne.org.
2017062500 on ns.dyne.org.
2017062500 on ns2.dyne.org.
2017062500 on ns3.dyne.org.
2017062500 on ns.dyne.org.
2017062500 on ns2.dyne.org.
2017062500 on ns3.dyne.org.
2017062500 on ns.dyne.org.
2017062500 on ns2.dyne.org.
2017062500 on ns3.dyne.org.
2017062500 on ns.dyne.org.
2017062500 on ns2.dyne.org.
2017062500 on ns3.dyne.org.
2017062500 on ns.dyne.org.
2017062500 on ns2.dyne.org.
2017062500 on ns3.dyne.org.
2017062500 on ns.dyne.org.
2017062500 on ns2.dyne.org.
2017062500 on ns3.dyne.org.
2017062500 on ns.dyne.org.
2017062500 on ns2.dyne.org.
2017062500 on ns3.dyne.org.
[rick@linuxmafia]
~ $ cat /tmp/do
#!/bin/sh
dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." 
}'
dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on 
ns2.dyne.org." }'
dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on 
ns3.dyne.org." }'
sleep 5
dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." 
}'
dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on 
ns2.dyne.org." }'
dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on 
ns3.dyne.org." }'
sleep 5
dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." 
}'
dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on 
ns2.dyne.org." }'
dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on 
ns3.dyne.org." }'
sleep 5
dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." 
}'
dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on 
ns2.dyne.org." }'
dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on 
ns3.dyne.org." }'
sleep 5
dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." 
}'
dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on 
ns2.dyne.org." }'
dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on 
ns3.dyne.org." }'
sleep 5
dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." 
}'
dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on 
ns2.dyne.org." }'
dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on 
ns3.dyne.org." }'
sleep 5
dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." 
}'
dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on 
ns2.dyne.org." }'
dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on 
ns3.dyne.org." }'
sleep 5
dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." 
}'
dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on 
ns2.dyne.org." }'
dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on 
ns3.dyne.org." }'
sleep 5
dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." 
}'
dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on 
ns2.dyne.org." }'
dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on 
ns3.dyne.org." }'
sleep 5
dig -t soa dyne.org. @ns.dyne.org. +short | awk '{ print $3 " on ns.dyne.org." 
}'
dig -t soa dyne.org. @ns2.dyne.org. +short | awk '{ print $3 " on 
ns2.dyne.org." }'
dig -t soa dyne.org. @ns3.dyne.org. +short | awk '{ print $3 " on 
ns3.dyne.org." }'
[rick@linuxmafia]
~ $
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Joachim Fahrner]

Am 2017-07-05 09:08, schrieb Rick Moen:

So, in general terms, I certainly encourage your approach.  It's not
obvious from present evidence why you are getting timeouts querying 
your

local recursive nameserver.  You'll have to do further diagnosis
locally.  (Lacking any better ideas at the moment, I'd say maybe start
by looking at Unbound's log files.)


There are no errors in the unbound log. And I'm wondering why these 
timeouts are only with dyne.org. I never had such failures with other 
domains since years. Maybe there is a problem in my providers network, 
but then that should happen with ANY domain, not only dyne.org.


I now increased unbounds verbosity and see if there is further 
information in the log.


Jochen
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Rick Moen]

Quoting Joachim Fahrner (j...@fahrner.name):

> That's right. And my local unbound is the only nameserver in
> /etc/resolv.conf
> 
> I cannot use other nameservers because my postfix queries some RBLs
> that allow only limited numbers of queries (they are free for
> personal use, but costs for commercial use).

I'm a big fan of running a local recursive nameserver, and of Unbound.
So, in general terms, I certainly encourage your approach.  It's not
obvious from present evidence why you are getting timeouts querying your
local recursive nameserver.  You'll have to do further diagnosis
locally.  (Lacking any better ideas at the moment, I'd say maybe start
by looking at Unbound's log files.)

You _could_ add some additional recursive nameservers (like perhaps your
ISP's) on additional lines below the 'nameserver 127.0.0.1' one --
knowing that they'll be used only if your Unbound instance for some
reason isn't responding.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Joachim Fahrner]

Am 2017-07-05 08:51, schrieb Rick Moen:

I believe you said that you are running an instance of Unbound as a
local recursive nameserver.  If so, I hope you are listing it first in
/etc/resolv.conf (perhaps by localhost IP).  Anyway, that's where you
should start looking, to find your problem.


That's right. And my local unbound is the only nameserver in 
/etc/resolv.conf


I cannot use other nameservers because my postfix queries some RBLs that 
allow only limited numbers of queries (they are free for personal use, 
but costs for commercial use).


Jochen
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Rick Moen]

Quoting Joachim Fahrner (j...@fahrner.name):

> By now it comes apparent that timeouts from the dns servers are the
> problem:

Well... hold that thought, please.


> Can the short SOA EXPIRE be the cause?

No.  SOA EXPIRE is how long a secondary nameserver will still treat its
copy of the zone data as valid if it can't contact the primary
nameserver.  It's a setting affecting zone transfers (IXFR and AXFR
protocols) only, between nameservers doing primary nameservice for a
zone.  It has nothing to do with queries.


> --
> $ dig tupac2.dyne.org
> 
> ; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached

Problem:  You didn't say what nameserver to query ('@' parameter).
Quoting the dig man page:

   Unless it is told to query a specific name server, dig will try each of
   the servers listed in /etc/resolv.conf.

Presumably, your /etc/resolv.conf has a list of recursive nameservers
that the local resolver library is intended to query.  With the
above-cited command, dig will attempt each of those in order, and error 
out if none of them replies.

Therefore, your problem is somewhere there.  It has no particular
connection to the remote domain.

I believe you said that you are running an instance of Unbound as a
local recursive nameserver.  If so, I hope you are listing it first in
/etc/resolv.conf (perhaps by localhost IP).  Anyway, that's where you
should start looking, to find your problem.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Joachim Fahrner]

Am 2017-07-05 00:18, schrieb Rick Moen:

On a quick, broad check, dyne.org DNS seems robust.

There are three network-diverse authoritative nameservers (refreshing 
to

see after observing far too many domains attempting to get by with two,
when RFCs require 3-7 auth nameservers[1]), all returning correct
responses on both UDP and TCP.  The SOA EXPIRE value (86400 seconds) is
too short.  RFC 1912 section 2.2 suggests a value between 1209600 and
2419200.


You are right, the configuration seems ok. A good checking tool is 
IntoDNS:

https://intodns.com/dyne.org
They mention the same, SOA EXPIRE value is too low.

By now it comes apparent that timeouts from the dns servers are the 
problem:


--
$ dig tupac2.dyne.org

; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig tupac2.dyne.org

; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37556
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tupac2.dyne.org.INA

;; ANSWER SECTION:
tupac2.dyne.org.300INA178.62.188.7

;; AUTHORITY SECTION:
dyne.org.900INNSns.dyne.org.
dyne.org.900INNSns2.dyne.org.
dyne.org.900INNSns3.dyne.org.

;; ADDITIONAL SECTION:
ns.dyne.org.300INA188.166.98.127
ns2.dyne.org.300INA198.199.70.248
ns3.dyne.org.300INA178.21.114.142

;; Query time: 657 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 04 17:22:16 CEST 2017
;; MSG SIZE  rcvd: 161
--

Can the short SOA EXPIRE be the cause?

Jochen


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Rick Moen]

Quoting Joachim Fahrner (j...@fahrner.name):

> Normally name resolution works fine, and tupac2.dyne.org is the only
> server with such errors in my postfix log.  I'm using unbound on
> Devuan as a local caching recursive dns server.

Good choice.

> Could it be that dyne.org name servers have temporary connection
> problems?

On a quick, broad check, dyne.org DNS seems robust.   

There are three network-diverse authoritative nameservers (refreshing to
see after observing far too many domains attempting to get by with two,
when RFCs require 3-7 auth nameservers[1]), all returning correct
responses on both UDP and TCP.  The SOA EXPIRE value (86400 seconds) is
too short.  RFC 1912 section 2.2 suggests a value between 1209600 and
2419200.  I personally tend to go with 2419200 = 28 days.  (This SOA
subfield denotes how long a secondary will still treat its copy of the
zone data as valid if it can't contact the primary.)

I can't exclude the possiblility that one or two of the three auth
nameservers occasionally flakes out, though that seems a-priori less
likely than some other cause.  The DNS as a whole seems very competently
administered (and I'm persnickety about such things).

There are two small nitpicks I would make, that I hope would slightly
improve the domain's service:

1.  Arguably it's a slight security error to permit the three
nameservers to give accurate responses when asked for their software
versions.  I mean like this:

$ dig +short @ns.dyne.org dyne.org version.bind txt chaos
178.62.255.220
"9.9.5-9+deb8u11-Debian"
$ dig +short @ns2.dyne.org dyne.org version.bind txt chaos
178.62.255.220
"9.9.5-9+deb8u10-Debian"
$ dig +short @ns3.dyne.org dyne.org version.bind txt chaos
178.62.255.220
"9.9.5-9+deb8u11-Debian"
$

Compare my five auth nameservers for linuxmafia.com:

$ dig +short @ns1.linuxmafia.com linuxmafia.com version.bind txt chaos
198.144.195.186
"Shirley, you're joking"
[rick@linuxmafia]
$ dig +short @ns.primate.net linuxmafia.com version.bind txt chaos
198.144.195.186
[rick@linuxmafia]
$ dig +short @ns1.thecoop.net linuxmafia.com version.bind txt chaos
198.144.195.186
"Puddin Tane, ask me again, I'll tell you the same."
[rick@linuxmafia]
$ dig +short @ns.tx.primate.net linuxmafia.com version.bind txt chaos
198.144.195.186
[rick@linuxmafia]
$ dig +short @ns3.linuxmafia.com linuxmafia.com version.bind txt chaos
198.144.195.186
"none"
$

Example setup snippet from BIND9's Options stanza (on ns1.linuxmafia.com's
/etc/bind/named.conf.options) to curtail reporting of the VERSION.BIND
reference record in the CHAOS class:

version "Shirley, you're joking";
hostname"ns1.linuxmafia.com";

There are three RRs in the CHAOS class defined by RFC 4892:
VERSION.BIND, ID.SERVER, and HOSTNAME.BIND.  The above two option lines 
define two of the three.  The third (ID.SERVER) fortunately defaults to
null ('none'), but can be explicitly defined, too, which is why I have
these comment lines to note the fact:

//server-id is essentially redundant to hostname, default is none
//server-id  none;

Similar steps can and should be taken in NSD and other good
authoritative nameservers to control information leakage, IMO.[2]



2.  The two MXes both refuse delivery of mail addressed to the
RFC-mandated abuse address.

   50 5.1.1 : Recipient address rejected: User unknown in virtual
   mailbox table

Because dyne.org accepts SMTP mail, RFC2142 Section 2 requires that the
domain accept mail addressed to ab...@dyne.org .  Additionally, some
domains will consider suspcious any mail domain that fails
RFC-compliance testing including acceptance of mail addressed to the
postmaster or abuse accounts.

IMO, abuse@ is every bit as mandatory as postmaster@ is, for
SMTP-receiving domains.


Again, overall, the dyne.org DNS strikes me as excellent.


[1] Reference for minimum 3:  RFC2182 section 5.  
Reference for maximum 7:  RFC1912 section 2.8.

[2] Hiding version numbers doesn't actually protect anything, but
giving attackers that information for free is never a good idea, and 
on the public Internet there seems to be no legitimate purpose for 
providing accurate values.  (If there is, I've not seen it.)


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Joachim Fahrner]

Am 2017-07-04 18:27, schrieb Alessandro Selli:

  I'm afraid this has to do with the DNS server you're using (;; 
SERVER:

127.0.0.1#53(127.0.0.1), that is), as I get these values:



Enter "dyne.org" here: http://www.dnsqueries.com/en/dns_lookup.php and 
select "ALL". That delivers the same results than my dns server. That 
seems location dependend, so I assume this is delivered through a CDN.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Joachim Fahrner]

Am 2017-07-04 18:27, schrieb Alessandro Selli:
  I'm afraid this has to do with the DNS server you're using (;; 
SERVER:

127.0.0.1#53(127.0.0.1), that is), as I get these values:

[alessandro@draco ~]$ dig tupac2.dyne.org

; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19560
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tupac2.dyne.org.   IN  A

;; ANSWER SECTION:
tupac2.dyne.org.300 IN  A   178.62.188.7

;; AUTHORITY SECTION:
dyne.org.   86400   IN  NS  ns2.dyne.org.
dyne.org.   86400   IN  NS  ns3.dyne.org.
dyne.org.   86400   IN  NS  ns.dyne.org.

;; ADDITIONAL SECTION:
ns.dyne.org.86400   IN  A   188.166.98.127
ns.dyne.org.86400   IN  2a03:b0c0:2:d0::95:e001
ns2.dyne.org.   86400   IN  A   198.199.70.248
ns2.dyne.org.   86400   IN  
2604:a880:400:d0::27:4001

ns3.dyne.org.   86400   IN  A   178.21.114.142

;; Query time: 1041 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 04 18:19:43 CEST 2017
;; MSG SIZE  rcvd: 217

[alessandro@draco ~]$

  Which is consistent with the domain's value of 86400 for the EXPIRE 
SOA

record:

[alessandro@draco ~]$ host -t SOA dyne.org
dyne.org has SOA record ns.dyne.org. root.dyne.org. 2017062500 7200 
3600

86400 900
[alessandro@draco ~]$


Strange. Is there some CDN in between?

$ dig @198.199.70.248 tupac2.dyne.org

; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> @198.199.70.248 tupac2.dyne.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51709
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tupac2.dyne.org.   IN  A

;; ANSWER SECTION:
tupac2.dyne.org.300 IN  A   178.62.188.7

;; AUTHORITY SECTION:
dyne.org.   900 IN  NS  ns3.dyne.org.
dyne.org.   900 IN  NS  ns2.dyne.org.
dyne.org.   900 IN  NS  ns.dyne.org.

;; ADDITIONAL SECTION:
ns.dyne.org.300 IN  A   188.166.98.127
ns2.dyne.org.   300 IN  A   198.199.70.248
ns3.dyne.org.   300 IN  A   178.21.114.142

;; Query time: 87 msec
;; SERVER: 198.199.70.248#53(198.199.70.248)
;; WHEN: Tue Jul 04 19:00:09 CEST 2017
;; MSG SIZE  rcvd: 161

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Joachim Fahrner]

Am 2017-07-04 15:37, schrieb Alessandro Selli:



  I really wonder what did mxtoolbox.com check, as I cannot see what 
dns.org

and shockmedia.com have to do with dyne.org:


That's strange. Something in my test changed dyne.org magically to 
dns.org. But that was not me, I used cut ;-)


The only explanation I have is, that sometimes there is overload at 
dyne.org dns servers. The TTL values are really low and prevent mostly 
caching.


$ dig tupac2.dyne.org

; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig tupac2.dyne.org

; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37556
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tupac2.dyne.org.   IN  A

;; ANSWER SECTION:
tupac2.dyne.org.300 IN  A   178.62.188.7

;; AUTHORITY SECTION:
dyne.org.   900 IN  NS  ns.dyne.org.
dyne.org.   900 IN  NS  ns2.dyne.org.
dyne.org.   900 IN  NS  ns3.dyne.org.

;; ADDITIONAL SECTION:
ns.dyne.org.300 IN  A   188.166.98.127
ns2.dyne.org.   300 IN  A   198.199.70.248
ns3.dyne.org.   300 IN  A   178.21.114.142

;; Query time: 657 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 04 17:22:16 CEST 2017
;; MSG SIZE  rcvd: 161



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Alessandro Selli]

On Tue, 04 Jul 2017 at 09:51:55 +0200
Joachim Fahrner  wrote:

> Am 2017-07-04 09:39, schrieb Joachim Fahrner:
>
>> Could it be that dyne.org name servers have temporary connection 
>> problems?
>
> When checking dns for tupac2.dyne.org I get 1 error and 3 warnings:
> 
> https://mxtoolbox.com/domain/tupac2.dns.org/
> 
> E https   dns.org The Certificate has a name mismatch
> E dns dns.org Primary Name Server Not Listed At Parent
> E dmarc   dns.org DNS Record not found
> E spf dns.org DNS Record not found
> W dns dns.org Bad Glue Detected
> W dns dns.org Local NS list does not match Parent NS list
> W dns dns.org Name Servers are on the Same Subnet
> W smtpmail.shockmedia.com Reverse DNS does not contain the
> hostname W smtp   mail.shockmedia.com Reverse DNS does not
> match SMTP Banner W smtp  mail.shockmedia.com 5.639 seconds
> - Warning on Connection time W smtp   mail.shockmedia.com
> 12.520 seconds - Not good! on Transaction Time

  I really wonder what did mxtoolbox.com check, as I cannot see what dns.org
and shockmedia.com have to do with dyne.org:

[alessandro@draco ~]$ host -t NS dyne.org
dyne.org name server ns2.dyne.org.
dyne.org name server ns.dyne.org.
dyne.org name server ns3.dyne.org.
[alessandro@draco ~]$ 

  Actually, I wonder how did you run the test, as I get these results:

https://mxtoolbox.com/SuperTool.aspx?action=a%3adyne.org=toolpage#


TypeDomain Name IP Address  TTL Status
Time (ms)   AuthParent  Local
NS  ns.dyne.org 188.166.98.127 [Netherlands] Amsterdam, North
Holland NL Digital Ocean, Inc. (AS14061)15 min  120
NS  ns2.dyne.org198.199.70.248 [United States] North Bergen,
New Jersey US Digital Ocean, Inc. (AS14061) 15 min
45 NS   ns3.dyne.org178.21.114.142 [Netherlands] NL DirectVPS
B.V. (AS29028) 15 min   123  


Result

SOA Expire Value out of recommended range
ns.dyne.org reported Expire 86400 : Expire is recommended to
be between 1209600 and 2419200.  More Info
DNS Record found
No Bad Glue Detected
At Least Two Name Servers Found
All name servers are responding
All of the name servers are Authoritative
Local NS list matches Parent NS list
Name Servers appear to be Dispersed
Name Servers have Public IP Addresses
Serial numbers match
2017062500  
Primary Name Server Listed At Parent
SOA Serial Number Format appears valid
SOA Refresh Value is within the recommended range
SOA Retry Value is within the recommended range
SOA Minimum TTL Value is within allowed values
No Open Recursive Name Server Detected
No Open Zone TransferMore Info


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Joachim Fahrner]

Am 2017-07-04 09:39, schrieb Joachim Fahrner:

Could it be that dyne.org name servers have temporary connection 
problems?


When checking dns for tupac2.dyne.org I get 1 error and 3 warnings:

https://mxtoolbox.com/domain/tupac2.dns.org/

E https dns.org The Certificate has a name mismatch
E dns   dns.org Primary Name Server Not Listed At Parent
E dmarc dns.org DNS Record not found
E spf   dns.org DNS Record not found
W dns   dns.org Bad Glue Detected
W dns   dns.org Local NS list does not match Parent NS list
W dns   dns.org Name Servers are on the Same Subnet
W smtp  mail.shockmedia.com Reverse DNS does not contain the hostname
W smtp  mail.shockmedia.com Reverse DNS does not match SMTP Banner
W smtp  mail.shockmedia.com 5.639 seconds - Warning on Connection time
W smtp 	mail.shockmedia.com 	12.520 seconds - Not good! on Transaction 
Time

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Joachim Fahrner]

Am 2017-07-03 22:27, schrieb Gregory Nowak:


I'm not seeing this here, and the A record for tupac2.dyne.org
resolves correctly. Could there be a DNS issue on your end perhaps?


Normally name resolution works fine, and tupac2.dyne.org is the only 
server with such errors in my postfix log.

I'm using unbound on Devuan as a local caching recursive dns server.
Could it be that dyne.org name servers have temporary connection 
problems?

I just did several tries and got:


$ host tupac2.dyne.org
;; connection timed out; no servers could be reached
$ host tupac2.dyne.org
tupac2.dyne.org has address 178.62.188.7

BTW: why is the TTL so short (300 secs)? Maybe that's a problem?

Jochen
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[G.W. Haywood]

Hi there,

On Mon, 3 Jul 2017, Antony Stone wrote:
On Monday 03 July 2017 at 22:27:44, Gregory Nowak wrote:

> On Mon, Jul 03, 2017 at 07:09:29PM +0200, Joachim Fahrner wrote:
>
> > I get lots of those errors in my postfix log:
> >
> > Jul  3 18:09:16 server postfix/smtpd[2840]: NOQUEUE: reject: RCPT
> > from tupac2.dyne.org[178.62.188.7]: 450 4.7.1 :
> > Helo command rejected: Host not found;
> > from= to= proto=ESMTP
> > helo=
> >
> > Is there some configuration problem with the list mail server?
>
> I'm not seeing this here, and the A record for tupac2.dyne.org
> resolves correctly. Could there be a DNS issue on your end perhaps?

tupac2.dyne.org resolves here perfectly well too, however surely the problem
being reported by that error message is that the machine tupac2.dyne.org
cannot resolve fahrner.name (which also resolves here perfectly okay)?


No, the issue does seem to at or before the 'helo' command stage, but
the error message isn't terribly clear to me because I'm a Sendmail
user. :/  Whatever isn't found (presumably not found by the DNS server
which Postfix is using) it isn't the envelope recipient, which has not
been established at the 'helo' stage.

The nameservers for dyne.org look fine, and I see no problems (in the
UK, with Sendmail & BIND).

In a case like this I'd look at my nameserver logs.  If you don't use
a local nameserver you could set up a caching-only server just so it
can log things.  That might even fix the probelm. :)  Alternatively you
could run a tool like tcpdump to record the traffic and then display
it e.g. with Ethereal.

--

73,
Ged.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Antony Stone]

On Monday 03 July 2017 at 22:27:44, Gregory Nowak wrote:

> On Mon, Jul 03, 2017 at 07:09:29PM +0200, Joachim Fahrner wrote:
> > I get lots of those errors in my postfix log:
> > 
> > Jul  3 18:09:16 server postfix/smtpd[2840]: NOQUEUE: reject: RCPT
> > from tupac2.dyne.org[178.62.188.7]: 450 4.7.1 :
> > Helo command rejected: Host not found;
> > from= to= proto=ESMTP
> > helo=
> > 
> > Is there some configuration problem with the list mail server?
> 
> I'm not seeing this here, and the A record for tupac2.dyne.org
> resolves correctly. Could there be a DNS issue on your end perhaps?

tupac2.dyne.org resolves here perfectly well too, however surely the problem 
being reported by that error message is that the machine tupac2.dyne.org 
cannot resolve fahrner.name (which also resolves here perfectly okay)?


Antony.

-- 
Roses are red,
Bacon is too,
Poetry's hard,
Bacon.
with thanks to Claire Davison

   Please reply to the list;
 please *don't* CC me.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Listserver configuration

[Gregory Nowak]

On Mon, Jul 03, 2017 at 07:09:29PM +0200, Joachim Fahrner wrote:
> I get lots of those errors in my postfix log:
> 
> Jul  3 18:09:16 server postfix/smtpd[2840]: NOQUEUE: reject: RCPT
> from tupac2.dyne.org[178.62.188.7]: 450 4.7.1 :
> Helo command rejected: Host not found;
> from= to= proto=ESMTP
> helo=
> 
> Is there some configuration problem with the list mail server?

I'm not seeing this here, and the A record for tupac2.dyne.org
resolves correctly. Could there be a DNS issue on your end perhaps?

Greg


-- 
web site: http://www.gregn.net
gpg public key: http://www.gregn.net/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)
If we haven't been in touch before, e-mail me before adding me to your contacts.

--
Free domains: http://www.eu.org/ or mail dns-mana...@eu.org
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] Listserver configuration

[Joachim Fahrner]

Hello,
I get lots of those errors in my postfix log:

Jul  3 18:09:16 server postfix/smtpd[2840]: NOQUEUE: reject: RCPT from 
tupac2.dyne.org[178.62.188.7]: 450 4.7.1 : Helo command 
rejected: Host not found; from= 
to= proto=ESMTP helo=


Is there some configuration problem with the list mail server?

Jochen

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng