Mailing List Archive

Qmail vs PowerDNS
Hi all. I've been running qmail with great success for many years.
I'm running gentoo with netqmail-1.06-r2; my network uses PowerDNS as
its local DNS server.

I recently upgraded to pdns 4. That's broken my qmail; now all
attempts to send result in the dreaded

CNAME_lookup_failed_temporarily._(#4.4.3)

I've debugged a bit. Netqmail-1.06-r2 includes the big-dns patch, and
I verified that it was applied correctly. I've run wireshark to
capture the network transactions, and nothing looks amiss. I'm
getting valid responses, which are well under the 512-byte UDP limit
(though that shouldn't matter). The problem is clearly pdns, as when
I change my resolver to some other server, qmail is perfectly happy.

What else should I look for? What conditions other than oversize
packets would cause qmail to consistently faile the CNAME lookup?

Thanks in advance...
Re: Qmail vs PowerDNS [ In reply to ]
On 25 April 2017 at 07:16, <jrd@jrd.org> wrote:

> Hi all. I've been running qmail with great success for many years.
> I'm running gentoo with netqmail-1.06-r2; my network uses PowerDNS as
> its local DNS server.
>
> I recently upgraded to pdns 4. That's broken my qmail; now all
> attempts to send result in the dreaded
>
> CNAME_lookup_failed_temporarily._(#4.4.3)
>
> I've debugged a bit. Netqmail-1.06-r2 includes the big-dns patch, and
> I verified that it was applied correctly. I've run wireshark to
> capture the network transactions, and nothing looks amiss. I'm
> getting valid responses, which are well under the 512-byte UDP limit
> (though that shouldn't matter). The problem is clearly pdns, as when
> I change my resolver to some other server, qmail is perfectly happy.
>
> What else should I look for? What conditions other than oversize
> packets would cause qmail to consistently faile the CNAME lookup?
>
> Thanks in advance...
>

I have done the following to fix the error. in qmail-remote.c,

change

addrmangle(reciplist.sa + reciplist.len,*recips,&flagalias,!relayhost);

to

addrmangle(reciplist.sa + reciplist.len,*recips,&flagalias,0);


Look at

https://lists.dns-oarc.net/pipermail/dns-operations/2013-January/009518.html
Re: Qmail vs PowerDNS [ In reply to ]
Hi all,


> Am 25.04.2017 um 06:47 schrieb Manvendra Bhangui <mbhangui@gmail.com>:
>
>
> On 25 April 2017 at 07:16, <jrd@jrd.org> wrote:
> Hi all. I've been running qmail with great success for many years.
> I'm running gentoo with netqmail-1.06-r2; my network uses PowerDNS as
> its local DNS server.
>
> I recently upgraded to pdns 4. That's broken my qmail; now all
> attempts to send result in the dreaded
>
> CNAME_lookup_failed_temporarily._(#4.4.3)
>
> I've debugged a bit. Netqmail-1.06-r2 includes the big-dns patch, and
> I verified that it was applied correctly. I've run wireshark to
> capture the network transactions, and nothing looks amiss. I'm
> getting valid responses, which are well under the 512-byte UDP limit
> (though that shouldn't matter). The problem is clearly pdns, as when
> I change my resolver to some other server, qmail is perfectly happy.
>
> What else should I look for? What conditions other than oversize
> packets would cause qmail to consistently faile the CNAME lookup?
>
> Thanks in advance...
>
> I have done the following to fix the error. in qmail-remote.c,
>
> change
> addrmangle(reciplist.sa + reciplist.len,*recips,&flagalias,!relayhost);
> to
> addrmangle(reciplist.sa + reciplist.len,*recips,&flagalias,0);

The prototyp of addrmangle looks the following:

void addrmangle(stralloc *saout,char *s,int *flagalias,int flagcname) /* host has to be canonical, box has to be quoted */

Strange:

int flagcname <=> !relayhost

and later

*flagalias = flagcname

...

if (flagcname)
switch(dns_cname(&canonhost)) {
case 0: *flagalias = 0; break;
case DNS_MEM: temp_nomem();
case DNS_SOFT: temp_dnscanon();
case DNS_HARD: ; /* alias loop, not our problem */
}

The entire routine seems to be questionable given today's conditions.

Regards.
--eh.





>
> Look at
> https://lists.dns-oarc.net/pipermail/dns-operations/2013-January/009518.html

Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: EE00CF65
Re: Qmail vs PowerDNS [ In reply to ]
Hi,



> Am 25.04.2017 um 12:54 schrieb jrd@jrd.org:
>
> From: Erwin Hoffmann <feh@fehcom.de>
> Date: Tue, 25 Apr 2017 09:47:52 +0200
>
> [...]
> The entire routine seems to be questionable given today's conditions.
>
> Agreed. I puzzled over that code a bit as well.
>
> After doing some more digging, reviewing the thread Manvendra cited, I
> guess I think my best path forward is to simply patch that call.
> feh, what's your sense? Does it make sense to incorporate that change
> into [net]qmail going forward, or do you think it would be better to
> fix addrmangle so as to do a better job?


Actually, I never ran into that problem you mention. Maybe it's because I've avoided initially the ANY RR DNS request.
Seems to be a remnant from that area.

You know, since some time I've raised 's/qmail' as follow-up project for Qmail (mainly to support IPv6 for all modules + TLS + ....).

Kai Peter and me we've decided to set up a common project called 'aqmail(.org)' which shall include all our experiences.

Regards.
--eh.


>
> It is peculiar though. When I change my resolv.conf on my mail
> gateway to point to, for instance, 8.8.8.8, everything works fine. I
> plan to do a bit more tracing of packets. It's not just about fixing
> qmail; if my DNS is doing something unexpected, I'm concerned that
> other things on my network could break too.
>
> Thanks...
>

Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: EE00CF65
Re: Qmail vs PowerDNS [ In reply to ]
Thus said Erwin Hoffmann on Tue, 25 Apr 2017 09:47:52 +0200:

> The entire routine seems to be questionable given today's conditions.

For a cleaner approach, see:

http://marc.info/?l=qmail&m=134062672511072&w=2

Andy
--
TAI64 timestamp: 4000000058ff5bb5
Re: Qmail vs PowerDNS [ In reply to ]
Hi Andy,

yes, I know this conversation ... and removed those statements in s/qmail.

However, things tend to to have 'two ends'.

Regards.
--eh.


> Am 25.04.2017 um 16:22 schrieb Andy Bradford <amb-sendok-1495722129.icbbbiddlfmgebdgkgld@bradfords.org>:
>
> http://marc.info/?l=qmail&m=134062672511072&w=2

Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: EE00CF65
Qmail vs PowerDNS [ In reply to ]
Update: I figured out the misconfiguration at the pdns level.
Essentially, pdns has a configurable UDP truncation size, and the
default is bigger than a regular datagram. Setting it to a lower
value causes value causes the server to say "truncated" and the
resolver to fall back to TCP. That makes it all work correctly.

If anybody out there is running pdns and wants details of my config,
I'm happy to oblige.

Thanks all for your input and advice.