Mailing List Archive

On Thu, Jul 07, 2005 at 04:28:37PM +0200, Iljitsch van Beijnum wrote:
> >Some help here please. I am at a loss as to why I can't send mail
> >to the City of Milwaukee.
>
> The part that I find strange is that their DNS servers claim to be
> BIND 9.3.1.

Hm?

; <<>> DiG 9.3.1 <<>> @lpitmd-isp1.mpw.net. version.bind. chaos txt +norec
;; connection timed out; no servers could be reached

; <<>> DiG 9.3.1 <<>> @lpitmd-isp2.mpw.net. version.bind. chaos txt +norec
;; connection timed out; no servers could be reached

The DNS setup seems to be quite weird anyway...

gwise.ci.mil.wi.us and mhsgate.ci.mil.wi.us aren't RRs within ci.mil.wi.us
but:

gwise.ci.mil.wi.us. 60 IN NS lpitmd-isp2.mpw.net.
gwise.ci.mil.wi.us. 60 IN NS lpitmd-isp1.mpw.net.

mhsgate.ci.mil.wi.us. 60 IN NS lpitmd-isp1.mpw.net.
mhsgate.ci.mil.wi.us. 60 IN NS lpitmd-isp2.mpw.net.

; <<>> DiG 9.3.1 <<>> @lpitmd-isp1.mpw.net. version.bind. chaos txt +norec
;; connection timed out; no servers could be reached

; <<>> DiG 9.3.1 <<>> @lpitmd-isp2.mpw.net. version.bind. chaos txt +norec
;; connection timed out; no servers could be reached

So the servers who are actually actually authoritative don't answer to
version.bind. at all, to AAAA queries only with SERFAIL and to A queries
properly.

Unless I'm doing something wrong here, getting rusty in DNS matters. :-)


Best regards,
Daniel

--
CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0

The have the TTL set to 0 - I'm thinking that this has some bad
interaction with the fail-over by Sendmail to the A record.

Could someone try and replicate the error so I know it is not
just something strange at my end?

--
Joseph T. Klein

PSTN: +1 414 961 1690 VoIP: +1 414 431 4231 Mobile: +1 414 628 3380

On Jul 7, 2005, at 9:28 AM, Iljitsch van Beijnum wrote:

> On 7-jul-2005, at 16:03, Joseph T. Klein wrote:
>
>> Some help here please. I am at a loss as to why I can't send mail
>> to the City of Milwaukee.
>
> The part that I find strange is that their DNS servers claim to be
> BIND 9.3.1.
>
>> Hence dual stacked sendmail refuses to send mail to milwaukee.gov
>
>> I have ResolverOptions=WorkAroundBrokenAAAA in my cf file.
>
> So sendmail doesn't try for A when it gets SERVFAIL for AAAA?
>
>> The reply from my public servant is:
>>> please go away - you are wasting our time. this issue has no
>>> substantive impact
>>> - it is academic.
>
> A nice message to the city counsil will probably help here, although
> it's of course time consuming to explain the issue such that your
> average politician gets the point.
>
> Good luck!
>
> Iljitsch
>

On Thu, Jul 07, 2005 at 04:35:33PM +0200, Daniel Roesen wrote:
> The DNS setup seems to be quite weird anyway...

It does seem kinda weird - I'm guessing that they are forwarding
requests or something. What I discovered before is below.

David.

Unfortunately, it doesn't catch this one, because the problem occurs
further up the DNS tree than the script expects. It seems that the
servers for milwaukee.gov:

itmddns1x.milwaukee.gov
itmddns2x.milwaukee.gov
itmddns3x.milwaukee.gov
itmddns4x.milwaukee.gov

will only answer queries for records of type A and CNAME for
gwise.milwaukee.gov (they won't answer queries for MX, TXT, AAAA,
NS, ...). They don't have the same problem with www.milwaukee.gov,
which indicates that there is some weird internal problem.

On Thu, Jul 07, 2005 at 03:58:10PM +0100, David Malone wrote:
> Unfortunately, it doesn't catch this one, because the problem occurs
> further up the DNS tree than the script expects. It seems that the
> servers for milwaukee.gov:
>
> itmddns1x.milwaukee.gov
> itmddns2x.milwaukee.gov
> itmddns3x.milwaukee.gov
> itmddns4x.milwaukee.gov
>
> will only answer queries for records of type A and CNAME for
> gwise.milwaukee.gov (they won't answer queries for MX, TXT, AAAA,
> NS, ...). They don't have the same problem with www.milwaukee.gov,
> which indicates that there is some weird internal problem.

Indeed. I was checking the query sequence sendmail would do (as far as I
can tell), and that would be querying for MX first. When querying for
MX, you'll eventually end up at lpitmd-isp[12].mpw.net.

More fun:

$ dig @itmddns1x.milwaukee.gov. ci.mil.wi.us. MX +norec +short
10 gwise.milwaukee.gov.
20 mhsgate.ci.mil.wi.us.
$ dig @itmddns2x.milwaukee.gov. ci.mil.wi.us. MX +norec +short
;; reply from unexpected source: 216.54.131.209#53, expected 216.56.88.112#53
;; reply from unexpected source: 216.54.131.209#53, expected 216.56.88.112#53
;; reply from unexpected source: 216.54.131.209#53, expected 216.56.88.112#53
;; connection timed out; no servers could be reached
$ dig @itmddns3x.milwaukee.gov. ci.mil.wi.us. MX +norec +short
20 mhsgate.ci.mil.wi.us.
10 gwise.milwaukee.gov.
$ dig @itmddns4x.milwaukee.gov. ci.mil.wi.us. MX +norec +short
;; reply from unexpected source: 216.54.131.210#53, expected 216.56.88.113#53
;; reply from unexpected source: 216.54.131.210#53, expected 216.56.88.113#53
;; reply from unexpected source: 216.54.131.210#53, expected 216.56.88.113#53
;; connection timed out; no servers could be reached

where 216.54.131.209 is the IP of itmddns1x, and 216.54.131.210 being
the IP of itmddns3x.

I think Joseph's assessment of "broken" was quite correct. In multiple
ways.


Regards,
Daniel

--
CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0

Thank you for the tips.

I neglected to include one detail. The MX is for milwaukee.gov.

So users addresses are user@milwaukee.gov - example mayor@milwaukee.gov

same/same for ci.mil.wi.us - so I guess the analysis is the same.

; <<>> DiG 9.2.2 <<>> MX milwaukee.gov
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11999
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;milwaukee.gov. IN MX

;; ANSWER SECTION:
milwaukee.gov. 24 IN MX 20 mhsgate.ci.mil.wi.us.
milwaukee.gov. 24 IN MX 10 gwise.milwaukee.gov.

;; AUTHORITY SECTION:
milwaukee.gov. 24 IN NS itmddns2x.milwaukee.gov.
milwaukee.gov. 24 IN NS itmddns3x.milwaukee.gov.
milwaukee.gov. 24 IN NS itmddns4x.milwaukee.gov.
milwaukee.gov. 24 IN NS itmddns1x.milwaukee.gov.

;; Query time: 10 msec
;; SERVER: 192.133.102.1#53(192.133.102.1)
;; WHEN: Thu Jul 7 11:14:33 2005
;; MSG SIZE rcvd: 185

--
Joseph T. Klein

PSTN: +1 414 961 1690 VoIP: +1 414 431 4231 Mobile: +1 414 628 3380

On Jul 7, 2005, at 9:03 AM, Joseph T. Klein wrote:

> List,
>
> Some help here please. I am at a loss as to why I can't send mail
> to the City of Milwaukee. I get.
>
> The MX records are:
>
> monet# dig AAAA ci.mil.wi.us
>
> ; <<>> DiG 9.3.1 <<>> AAAA ci.mil.wi.us
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13587
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ci.mil.wi.us. IN AAAA
>
> ;; AUTHORITY SECTION:
> ci.mil.wi.us. 60 IN SOA
> itmddns1.milwaukee.gov. chapan.milwaukee.gov. 53 7200 7200 604800
> 86400
>
> ;; Query time: 21 msec
> ;; SERVER: 192.133.102.1#53(192.133.102.1)
> ;; WHEN: Thu Jul 7 07:11:59 2005
> ;; MSG SIZE rcvd: 95
>
> renoir:~ jtk$ dig AAAA gwise.milwaukee.gov
>
> ; <<>> DiG 9.2.2 <<>> AAAA gwise.milwaukee.gov
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6934
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;gwise.milwaukee.gov. IN AAAA
>
> ;; Query time: 86 msec
> ;; SERVER: 192.133.102.1#53(192.133.102.1)
> ;; WHEN: Thu Jul 7 08:59:44 2005
> ;; MSG SIZE rcvd: 37
>
> Hence dual stacked sendmail refuses to send mail to milwaukee.gov
>
> I have ResolverOptions=WorkAroundBrokenAAAA in my cf file.
>
> The reply from my public servant is:
>
> --
> Joseph T. Klein
>
> PSTN: +1 414 961 1690 VoIP: +1 414 431 4231 Mobile: +1 414 628 3380
>
>
> Begin forwarded message:
>
>> From: Gerard Froh <gfroh@mpw.net>
>> Date: July 7, 2005 8:06:28 AM CDT
>> To: "Joseph T. Klein" <josephtklein@mac.com>
>> Subject: Re: IPv6 Statistics was Re: please fix your broken DNS server
>>
>> please go away - you are wasting our time. this issue has no
>> substantive impact
>> - it is academic.
>> gf
>> Gerard Froh
>> GFroh@mpw.net
>> 286-3547
>> Milwaukee Public Works
>> "Right-of-Way the Right Way"
>> http://www.MPW.net/
>>
>>
>>
>>
>> ----- Message from josephtklein@mac.com ---------
>> Date: Thu, 7 Jul 2005 02:20:13 -0500
>> From: "Joseph T. Klein" <josephtklein@mac.com>
>> Reply-To: "Joseph T. Klein" <josephtklein@mac.com>
>> Subject: IPv6 Statistics was Re: please fix your broken DNS server
>> To: Ken Walker <kwalke@mpw.net>
>>
>> Ken et al,
>>
>> Somewhat dated statistics - so the other cc'ed know it is a rare
>> problem and not a general BIND 9 issue.
>>
>> 2004 RIPE survey has 0.08% of servers returning SERVFAIL.
>>
>>
>>
>> ----- End message from josephtklein@mac.com -----
>>
>
>