Mailing List Archive

Thus said Oliver Welter on Sat, 04 Oct 2014 12:27:37 +0200:

> c) There is any other solution (put djb dnscache in between?)

You should use djbdns' dnscache regardless of what patch you might
consider. This is all you should need:

http://marc.info/?l=qmail&m=134062672511072&w=2

Andy
--
TAI64 timestamp: 4000000054301f05

Hi Andy

Am 04.10.2014 um 18:22 schrieb Andy Bradford:
> Thus said Oliver Welter on Sat, 04 Oct 2014 12:27:37 +0200:
>
>> c) There is any other solution (put djb dnscache in between?)
>
> You should use djbdns' dnscache regardless of what patch you might
> consider. This is all you should need:
>
> http://marc.info/?l=qmail&m=134062672511072&w=2
>
You ruined my day =(

I setup dnscache on the localhost and now get tons of
"I_couldn't_find_any_host_named_". When I do a "dig" against the local
dns cache for a new domain, I immediately get an empty answer. Waiting
for some seconds and querying the cache again returns the correct data.

Any idea what went wrong?

Oliver

--
Protect your environment - close windows and adopt a penguin!

* Oliver Welter <mail@oliwel.de> [2014-10-04 12:43]:
> while my outgoing servers worked fine the last years I get more and more
> complaints about bounces and see suddenly TONS of "CNAME lookup failed"
> lines in my send logs.
>
> The domains I identified return large DNS-any replies, but as
> I run a netqmail on gentoo which comes with the "large dns patch"
> (http://www.ckdhr.com/ckd/qmail-103.patch), I assume this shouldnt be a
> problem.

The DNS code in qmail is plain broken and the large-dns-patch
unfortunately doesn't solve it completely. With the ever growing DNS
records this is exposed more often now.

Using dnscache mitigates it a bit but really is a crude workaround and
doesn't solve the issue completely either.

> c) There is any other solution

The solution is to rip out the dns code in qmail and call the
libc-provided instead.

--
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, VMs/PVS, Application Hosting

Hello Henning,

Am 06.10.2014 um 13:07 schrieb Henning Brauer:
> * Oliver Welter <mail@oliwel.de> [2014-10-04 12:43]:
>> while my outgoing servers worked fine the last years I get more and more
>> complaints about bounces and see suddenly TONS of "CNAME lookup failed"
>> lines in my send logs.
>>
>> The domains I identified return large DNS-any replies, but as
>> I run a netqmail on gentoo which comes with the "large dns patch"
>> (http://www.ckdhr.com/ckd/qmail-103.patch), I assume this shouldnt be a
>> problem.
>
> The DNS code in qmail is plain broken and the large-dns-patch
> unfortunately doesn't solve it completely. With the ever growing DNS
> records this is exposed more often now.

> The solution is to rip out the dns code in qmail and call the
> libc-provided instead.

Well, I know but my coding knowledge in C is not enough to do so - if
you have done so, might you share your patch for that?

Oliver
--
Protect your environment - close windows and adopt a penguin!

Thus said Oliver Welter on Mon, 06 Oct 2014 12:24:53 +0200:

> > http://marc.info/?l=qmail&m=134062672511072&w=2
> >
> You ruined my day =(

Sorry, that was not my intention. :-)

> I setup dnscache on the localhost and now get tons of
> "I_couldn't_find_any_host_named_". When I do a "dig" against the local
> dns cache for a new domain, I immediately get an empty answer.

Perhaps you have an unintelligent firewall that is blocking ports that
it doesn't like or something. I really cannot say why this would occur,
but it isn't strictly necessary to run dnscache---I run it without
problems, and with the patch above have never run into any CNAME errors.

It would be interesting to know what some of the domains are that your
qmail is having trouble sending email to.

> Waiting for some seconds and querying the cache again returns the
> correct data.

What do the dnscache logs have to say about it? Restart dnscache and
then query a single domain which fails. Then send the logs.

Andy
--
TAI64 timestamp: 4000000054337d61

Am 07.10.2014 um 07:42 schrieb Andy Bradford:
> Thus said Oliver Welter on Mon, 06 Oct 2014 12:24:53 +0200:
>
>>> http://marc.info/?l=qmail&m=134062672511072&w=2
>>>
>> You ruined my day =(
>
> Sorry, that was not my intention. :-)

Glad to hear.

>> I setup dnscache on the localhost and now get tons of
>> "I_couldn't_find_any_host_named_". When I do a "dig" against the local
>> dns cache for a new domain, I immediately get an empty answer.
>
> Perhaps you have an unintelligent firewall that is blocking ports that
> it doesn't like or something. I really cannot say why this would occur,
> but it isn't strictly necessary to run dnscache---I run it without
> problems, and with the patch above have never run into any CNAME errors.

No firewall, dns itself works and as said after some time I get answers
(might be when a different upstream server is queried?).

> It would be interesting to know what some of the domains are that your
> qmail is having trouble sending email to.

Reaches from google.com (large DNS responses) to john-doe domains with a
single record.

>> Waiting for some seconds and querying the cache again returns the
>> correct data.
>
> What do the dnscache logs have to say about it? Restart dnscache and
> then query a single domain which fails. Then send the logs.
>

dig -t mx google.com @127.0.0.1

; <<>> DiG 9.9.5 <<>> -t mx google.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41726
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN MX

;; Query time: 1035 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 07 09:17:42 CEST 2014
;; MSG SIZE rcvd: 28


@400000005433937322894154 starting
@400000005433937f32241cec query 1
00000000000000000000ffff7f000001:8a7b:d48f 15 google.com.
@400000005433937f322424bc tx 0 15 google.com. .
00000000000000000000ffffd4120305 00000000000000000000ffffd4120005
00000000000000000000ffff08080808 00000000000000000000ffffd5a04040
@400000005433938136ba1be4 stats 1 0 1 0
@400000005433938136ba1fcc sent 1 28


With google.com it looks like I NEVER get an answer back, even on
repeated queries.

Running against my personal domain shows what I said:

listsrv dnscache # dig -t mx oliwel.de @127.0.0.1

; <<>> DiG 9.9.5 <<>> -t mx oliwel.de @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51751
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;oliwel.de. IN MX

;; Query time: 18 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 07 09:20:48 CEST 2014
;; MSG SIZE rcvd: 27

listsrv dnscache # dig -t mx oliwel.de @127.0.0.1

; <<>> DiG 9.9.5 <<>> -t mx oliwel.de @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54205
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;oliwel.de. IN MX

;; ANSWER SECTION:
oliwel.de. 86400 IN MX 10 mx.serverpilot.net.
oliwel.de. 86400 IN MX 5 mx2.serverpilot.net.
oliwel.de. 86400 IN MX 20 mx2.serverpilot.net.

;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 07 09:20:49 CEST 2014
;; MSG SIZE rcvd: 97

@400000005433945a294f4b64 query 8
00000000000000000000ffff7f000001:a830:ca27 15 oliwel.de.
@400000005433945a294f4f4c tx 0 15 oliwel.de. .
00000000000000000000ffff08080808 00000000000000000000ffffd5a04040
00000000000000000000ffffd4120305 00000000000000000000ffffd4120005
@400000005433945a2a62f99c stats 8 0 1 0
@400000005433945a2a62f99c sent 8 27
@400000005433945b37a32bf4 query 9
00000000000000000000ffff7f000001:8f1f:d3bd 15 oliwel.de.
@400000005433945b37a32fdc tx 0 15 oliwel.de. .
00000000000000000000ffffd5a04040 00000000000000000000ffff08080808
00000000000000000000ffffd4120305 00000000000000000000ffffd4120005
@400000005433945b38672fa4 rr 00000000000000000000ffffd5a04040 600 1
mx.serverpilot.net. 52873a23
@400000005433945b3867338c rr 00000000000000000000ffffd5a04040 600 1
mx2.serverpilot.net. 52873a31
@400000005433945b3867338c rr 00000000000000000000ffffd5a04040 86400 mx
oliwel.de. 10 mx.serverpilot.net.
@400000005433945b3867338c rr 00000000000000000000ffffd5a04040 86400 mx
oliwel.de. 5 mx2.serverpilot.net.
@400000005433945b38673774 rr 00000000000000000000ffffd5a04040 86400 mx
oliwel.de. 20 mx2.serverpilot.net.
@400000005433945b38673774 stats 9 194 1 0
@400000005433945b38677dc4 sent 9 97


regards

Oliver

--
Protect your environment - close windows and adopt a penguin!

Hi Oliver

On Tue, 07 Oct 2014 09:23:11 +0200, Oliver Welter <mail@oliwel.de> wrote :

maybe I'm a little off-topic in this thread.

a) In case you setup djbdns you should increase the UDP buffer size. It is still fixed to IPv4's 512 Byte.
If I remember correctly, transmit.c has set udpbuf defined.

b) Henning wrote 'qmail's dns is broken'. Well, I would say it does not comply anymore to today's
needs. Therefore I suggest the following solutions:

1. Use my Spamcontrol patch for qmail (this is my standard answer). It omits the ANY lookup and
provides in the logs some cleartext messages, in case CNAME problems were seen.

2. Spamcontol (and more generally) qmail may use the djbdns libs. Nikolev has provided a patch for
that. This is useful for qmail-remote and simply tells qmail-remote to use djbdns libs (in the
Makefile):


qmail-remote: \
load qmail-remote.o control.o constmap.o timeoutread.o timeoutwrite.o \
timeoutconn.o tcpto.o now.o dns.o ip.o ipalloc.o ipme.o quote.o \
ndelay.a case.a sig.a open.a lock.a seek.a getln.a stralloc.a alloc.a \
tls_timeoutio.o case.a tls_remote.o base64.o md5c.o hmac_md5.o \
substdio.a error.a str.a fs.a auto_qmail.o dns.lib socket.lib
./load qmail-remote control.o constmap.o timeoutread.o \
timeoutwrite.o timeoutconn.o tcpto.o now.o ip.o \
ipalloc.o ipme.o quote.o ndelay.a case.a sig.a open.a \
lock.a seek.a getln.a stralloc.a alloc.a substdio.a \
str.a fs.a auto_qmail.o base64.o md5c.o hmac_md5.o \
tls_remote.o tls_timeoutio.o ucspissl.a case.a `cat ssl.lib` \
../djbdns-1.05/qmail.a `cat socket.lib`


(that's from Spamcontrol). You need to download the Spamcontrol patch and have a look in the
doc/READMEs.

c) In general, the DNS problems (apparent for qmail since years) needs to be solved on a larger scale
and not only by patches (like the 'big-dns' which increases the UDP buffer to 64 K).


Hope, I did not spoil your day again.

regards.
--eh.

> >
> >>> http://marc.info/?l=qmail&m=134062672511072&w=2
> >>>
> >> You ruined my day =(
> >
> > Sorry, that was not my intention. :-)
>
>
> --
> Protect your environment - close windows and adopt a penguin!
>
>
>

--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/

* Oliver Welter <mail@oliwel.de> [2014-10-06 15:35]:
> Am 06.10.2014 um 13:07 schrieb Henning Brauer:
> > * Oliver Welter <mail@oliwel.de> [2014-10-04 12:43]:
> >> while my outgoing servers worked fine the last years I get more and more
> >> complaints about bounces and see suddenly TONS of "CNAME lookup failed"
> >> lines in my send logs.
> >> The domains I identified return large DNS-any replies, but as
> >> I run a netqmail on gentoo which comes with the "large dns patch"
> >> (http://www.ckdhr.com/ckd/qmail-103.patch), I assume this shouldnt be a
> >> problem.
> > The DNS code in qmail is plain broken and the large-dns-patch
> > unfortunately doesn't solve it completely. With the ever growing DNS
> > records this is exposed more often now.
> > The solution is to rip out the dns code in qmail and call the
> > libc-provided instead.
> Well, I know but my coding knowledge in C is not enough to do so - if
> you have done so, might you share your patch for that?

sure. no promises on any kind of timeframe tho.

--
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, VMs/PVS, Application Hosting

On 7/10/14 12:32 AM, Oliver Welter wrote:
> Well, I know but my coding knowledge in C is not enough to do so -
> if you have done so, might you share your patch for that?



I applied this patch to my qmail about a month ago and it resolved the
CNAME errors I was seeing.
Ref: http://fanf.livejournal.com/122220.html?thread=786796

I think only the second change is required.

...Richard.


--- dns.c.bak 2006-11-10 22:08:51.000000000 +1100
+++ dns.c 2014-09-01 12:28:22.000000000 +1000
@@ -211,7 +211,7 @@
if (!sa->len) return loop;
if (sa->s[sa->len - 1] == ']') return loop;
if (sa->s[sa->len - 1] == '.') { --sa->len; continue; }
- switch(resolve(sa,T_ANY))
+ switch(resolve(sa,T_CNAME))
{
case DNS_MEM: return DNS_MEM;
case DNS_SOFT: return DNS_SOFT;
--- qmail-remote.c.bak 2006-11-10 22:08:51.000000000 +1100
+++ qmail-remote.c 2014-09-01 12:31:27.000000000 +1000
@@ -719,7 +719,7 @@
while (*recips) {
if (!saa_readyplus(&reciplist,1)) temp_nomem();
reciplist.sa[reciplist.len] = sauninit;
- addrmangle(reciplist.sa + reciplist.len,*recips,&flagalias,!relayhost);
+ addrmangle(reciplist.sa + reciplist.len,*recips,&flagalias,0);
if (!flagalias) flagallaliases = 0;
++reciplist.len;
++recips;