Sorry, I missed your earlier email. I'll try to answer both questions here.
Unless you're setting spamdyke's dns-level option, it should be using the primary servers in order, followed by the secondary servers in order, every time it runs. If you're just setting the three DNS servers and not using any other dns-* options, the logic should look like this: Total DNS query time is 30 seconds (override with dns-timeout-secs) Max number of DNS queries to primary servers before using secondaries is 1 (override with dns-max-retries-primary) Max number of DNS queries total is 3 (override with dns-max-retries-total) Send query packet to 127.0.0.1, wait 10 seconds for a response (total query time divided by max number of queries) If a response is received, use it and stop. Send query packet to 10.128.0.9, wait 10 seconds for a response If a response is received, use it and stop. The number of queries to primary servers is greater than 1, start using secondaries as well Send query packet to 169.254.169.254, wait 10 seconds for a response If a response is received, use it. Otherwise exit with no response. Randomizing the order of the servers would probably be a good idea (or option).... I think I didn't do that because I was trying to imitate the behavior of the system resolver library, which uses the servers in /etc/resolv.conf in order every time. Looking at the code in dns.c, spamdyke treats an empty response as "not found" and doesn't check whether it was due to SERVFAIL or NXDOMAIN. If memory serves, I did this because there's no real difference between them as far as spamdyke is concerned. In other words, NXDOMAIN means the domain doesn't exist at all while SERVFAIL means the domain exists but no records can be found (usually because the authoritative servers aren't responding). Either way, the mail should be rejected with a temporary code so the sender will try again later (hoping the problem will resolve itself in the meantime). If the problem persists long enough, the message(s) may bounce. Unfortunately there's no DNS code to indicate the server is malfunctioning and shouldn't be used -- spamdyke expects it to stop sending responses when that happens. -- Sam Clippinger > On Mar 11, 2019, at 6:58 PM, Quinn Comendant via spamdyke-users > <spamdyke-users@spamdyke.org> wrote: > > We had an incident where both our local caching name servers stopped working. > They returned SERVFAIL (see example below). They were set as the > "dns-server-ip-primary" and our host-provided DNS server was set as the > "dns-server-ip". Because the primaries were failing, I would expect spamdyke > to automatically switch to resolve via the server set under "dns-server-ip". > Instead, spamdyke just rejected all our mail for a few hours with > DENIED_RDNS_MISSING. The host-provide name server was functioning fine. > > This is the config: > > dns-server-ip-primary=127.0.0.1 # Local caching name server > dns-server-ip-primary=10.128.0.9 # Another local caching name server > dns-server-ip=169.254.169.254 # Host-provided name server > > This is an example response from a query to either of the primary DNS servers: > > {q@oak3~} dig @10.128.0.9 apple.com mx > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @10.128.0.9 > apple.com mx > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52266 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;apple.com. IN MX > > ;; Query time: 15 msec > ;; SERVER: 10.128.0.9#53(10.128.0.9) > ;; WHEN: Mon Mar 11 05:10:32 2019 > ;; MSG SIZE rcvd: 27 > > Am I wrong to expect spamdyke to fail over to the non-primary server on a > SERVFAIL? > > Quinn > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > https://spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users