Still not possible to send mail to domain libc.org

Still not possible to send mail to domain libc.org

[Harald Becker]

Hi Rich,

it is still not possible for me to send any mail to the domain libc.org. 
You can't just state this is not a failure on your side and then ignore 
the rest of the thread.

The failing part is not on my side, it is the mail relay of the qmail 
system, of a major provider in Germany, rejecting the messages. This is 
out of my control to change anything on their systems.

Harald

Re: Still not possible to send mail to domain libc.org

[Rich Felker]

On Thu, Apr 23, 2015 at 08:38:23PM +0200, Harald Becker wrote:
> Hi Rich,
> 
> it is still not possible for me to send any mail to the domain
> libc.org. You can't just state this is not a failure on your side
> and then ignore the rest of the thread.
> 
> The failing part is not on my side, it is the mail relay of the
> qmail system, of a major provider in Germany, rejecting the
> messages. This is out of my control to change anything on their
> systems.

I'm not sure whether this is a bug in qmail or the recursive server
the qmail host is using -- one of them is wrongly treating timeouts as
nxdomain rather than as transient failures.

However I agree this is a serious quality of hosting issue with my
registrar's nameservers. They should not be timing out or dropping
packets like they are. I was able to reproduce the issue. So for now
I'm just going to move dns hosting for libc.org to my own nameserver.

Rich

Re: Still not possible to send mail to domain libc.org

[Harald Becker]

Hi Rich !

On 23.04.2015 21:59, Rich Felker wrote:
> However I agree this is a serious quality of hosting issue with my
> registrar's nameservers. They should not be timing out or dropping
> packets like they are. I was able to reproduce the issue. So for now
> I'm just going to move dns hosting for libc.org to my own nameserver.

I'm unsure, if this is a random or quality of service problem. If so it 
should be possible to get at least some messages through to your mail 
address, but none of 10 successive tries to send messages to you, have 
been accepted.

I know this is not a prove, but it looks more like a general problem ... 
most likely, the mail relay is expecting to have the MX lookup return an 
IP address, not a name.

Harald

Re: Still not possible to send mail to domain libc.org

[Rich Felker]

On Thu, Apr 23, 2015 at 10:14:41PM +0200, Harald Becker wrote:
> Hi Rich !
> 
> On 23.04.2015 21:59, Rich Felker wrote:
> >However I agree this is a serious quality of hosting issue with my
> >registrar's nameservers. They should not be timing out or dropping
> >packets like they are. I was able to reproduce the issue. So for now
> >I'm just going to move dns hosting for libc.org to my own nameserver.
> 
> I'm unsure, if this is a random or quality of service problem. If so
> it should be possible to get at least some messages through to your
> mail address, but none of 10 successive tries to send messages to
> you, have been accepted.

Indeed, that does sound odd. I've filed a ticket with my registrar and
for now I'm moving DNS hosting to my own nameserver but it may take 24
hours to update and propagate. Hopefully that fixes things.

> I know this is not a prove, but it looks more like a general problem
> ... most likely, the mail relay is expecting to have the MX lookup
> return an IP address, not a name.

MX is never an IP address; that's not even valid and not possible to
represent in DNS. It's always a name, and it's required to be an A
record, not a CNAME. Check MX for any other domain and you'll find an
A record.

Rich

Re: Still not possible to send mail to domain libc.org

[Harald Becker]

Hi Rich !

On 23.04.2015 22:52, Rich Felker wrote:
> Indeed, that does sound odd. I've filed a ticket with my registrar and
> for now I'm moving DNS hosting to my own nameserver but it may take 24
> hours to update and propagate. Hopefully that fixes things.

So let me retry the message tests tomorrow.

>> I know this is not a prove, but it looks more like a general problem
>> ... most likely, the mail relay is expecting to have the MX lookup
>> return an IP address, not a name.
>
> MX is never an IP address; that's not even valid and not possible to
> represent in DNS. It's always a name, and it's required to be an A
> record, not a CNAME. Check MX for any other domain and you'll find an
> A record.

I'm not a DNS expert, so I may not use the correct notation.

Currently the lookup has got even more ugly:

nslookup -q=mx libc.org

returns: brightrain.aerifal.cx

... but when I try to do MX lookup for brightrain.aerifal.cx, I can't 
get any authoritative address, only for A records.

Are you able to add also an MX entry for brightrain.aerifal.cx ?

All the other domains I tried return an authoritative address for MX 
lookups too, not only for A record lookup.

I searched a bit on the net, and may be this hits a qmail DNS lookup 
problem disused at different places. Looks like they are fighting which 
strategy is best for the lookups ... this is bad, but I can't do 
anything here.

Harald

Re: Still not possible to send mail to domain libc.org

[Harald Becker]

May be this is involved in the problem:

https://lists.isc.org/pipermail/bind-users/1999-June/000649.html

Re: Still not possible to send mail to domain libc.org

[Rich Felker]

On Thu, Apr 23, 2015 at 11:25:00PM +0200, Harald Becker wrote:
> Hi Rich !
> 
> On 23.04.2015 22:52, Rich Felker wrote:
> >Indeed, that does sound odd. I've filed a ticket with my registrar and
> >for now I'm moving DNS hosting to my own nameserver but it may take 24
> >hours to update and propagate. Hopefully that fixes things.
> 
> So let me retry the message tests tomorrow.
> 
> >>I know this is not a prove, but it looks more like a general problem
> >>... most likely, the mail relay is expecting to have the MX lookup
> >>return an IP address, not a name.
> >
> >MX is never an IP address; that's not even valid and not possible to
> >represent in DNS. It's always a name, and it's required to be an A
> >record, not a CNAME. Check MX for any other domain and you'll find an
> >A record.
> 
> I'm not a DNS expert, so I may not use the correct notation.

I can see. :-)

> Currently the lookup has got even more ugly:
> 
> nslookup -q=mx libc.org
> 
> returns: brightrain.aerifal.cx
> 
> .... but when I try to do MX lookup for brightrain.aerifal.cx, I
> can't get any authoritative address, only for A records.

This is expected.

> Are you able to add also an MX entry for brightrain.aerifal.cx ?

Why would you need one? An MX for brightrain.aerifal.cx would tell
where to deliver mail sent to user@brightrain.aerifal.cx; it has
nothing to do with mail sent to user@libc.org.

> All the other domains I tried return an authoritative address for MX
> lookups too, not only for A record lookup.
> 
> I searched a bit on the net, and may be this hits a qmail DNS lookup
> problem disused at different places. Looks like they are fighting
> which strategy is best for the lookups ... this is bad, but I can't
> do anything here.

qmail is seriously buggy which is why most people abandoned it more
than a decade ago...

Rich

Re: Still not possible to send mail to domain libc.org

[Harald Becker]

Hi Rich,

extending my search on qhe net I found the following:

All of the senders experiencing the bounced messages mentioning cname 
lookup failure appear to be running the qmail mail server software.

Qmail, if not using a third party patch that was written in the late 
90’s, has an issue sending to domains whose name servers respond to DNS 
queries of type “ANY” with more than 512 bytes of data; that is a bug in 
qmail and the author has never fixed it because he wants you to use his 
DNS server software which also eliminates the issue in a different way.

Google’s name servers do respond to queries of type “ANY” with more than 
512 bytes of data, so when an unpatched qmail server tries to send an 
email to a domain whose lowest cost MX record ends in .google.com, qmail 
is going to do a DNS query of type ANY against one of google.com’s 
authoritative name servers, get back more than it can correctly handle 
and defer repeatedly until ultimately bouncing the message with that 
cname lookup failure…

Harald

Re: Still not possible to send mail to domain libc.org

[Harald Becker]

> qmail is seriously buggy which is why most people abandoned it more
> than a decade ago...

... now tell this a big provider with millions of customers (I think 
they serve over 50 million mail addresses) :(

... sorry for inconvenience, but if I got a different opportunity, I 
would take that. I have to use the mail relay as other recipients reject 
mail when not send through the relay (for SPAM avoidance), and the two 
major providers in Germany use nearly identical mail systems.

Re: Still not possible to send mail to domain libc.org

[Harald Becker]

On 23.04.2015 23:55, Harald Becker wrote:
> Hi Rich,
>
> extending my search on qhe net I found the following:
>
> All of the senders experiencing the bounced messages mentioning cname
> lookup failure appear to be running the qmail mail server software.
>
> Qmail, if not using a third party patch that was written in the late
> 90’s, has an issue sending to domains whose name servers respond to DNS
> queries of type “ANY” with more than 512 bytes of data; that is a bug in
> qmail and the author has never fixed it because he wants you to use his
> DNS server software which also eliminates the issue in a different way.
>
> Google’s name servers do respond to queries of type “ANY” with more than
> 512 bytes of data, so when an unpatched qmail server tries to send an
> email to a domain whose lowest cost MX record ends in .google.com, qmail
> is going to do a DNS query of type ANY against one of google.com’s
> authoritative name servers, get back more than it can correctly handle
> and defer repeatedly until ultimately bouncing the message with that
> cname lookup failure…

Sorry I forgot to add the link:

https://productforums.google.com/d/msg/apps/mIGTQVZiFxo/ULesU7hOo6wJ

>
> Harald
>

Re: Still not possible to send mail to domain libc.org

[Harald Becker]

Hi Rich !

I think you fixed it ... great!

Harald

Re: Still not possible to send mail to domain libc.org

[Harald Becker]

On 24.04.2015 00:20, Harald Becker wrote:
> Hi Rich !
>
> I think you fixed it ... great!

And what changed is, the result from nslookup -q=mx libc.org:

Now it also gives an authoritative address for brightrain, not only the 
name.

Harald

Re: Still not possible to send mail to domain libc.org

[Rich Felker]

On Thu, Apr 23, 2015 at 11:55:30PM +0200, Harald Becker wrote:
> Hi Rich,
> 
> extending my search on qhe net I found the following:
> 
> All of the senders experiencing the bounced messages mentioning
> cname lookup failure appear to be running the qmail mail server
> software.

Again there are no CNAMEs involved.

> Qmail, if not using a third party patch that was written in the late
> 90’s, has an issue sending to domains whose name servers respond to
> DNS queries of type “ANY” with more than 512 bytes of data; that is
> a bug in qmail and the author has never fixed it because he wants
> you to use his DNS server software which also eliminates the issue
> in a different way.

Responses larger than 512 bytes are not supported over UDP and are
rarely used. I saw some replies close to that long but none of them
had the TC (truncation) bit set, so I don't think that's your issue
either.

Rich

Re: Still not possible to send mail to domain libc.org

[Harald Becker]

On 24.04.2015 00:33, Rich Felker wrote:
> On Thu, Apr 23, 2015 at 11:55:30PM +0200, Harald Becker wrote:
>> Hi Rich,
>>
>> extending my search on qhe net I found the following:
>>
>> All of the senders experiencing the bounced messages mentioning
>> cname lookup failure appear to be running the qmail mail server
>> software.
>
> Again there are no CNAMEs involved.

I think several authors use the term CNAME when they see a name return 
like brightrain, which is not the sense of DNS CNAME :(

>> Qmail, if not using a third party patch that was written in the late
>> 90’s, has an issue sending to domains whose name servers respond to
>> DNS queries of type “ANY” with more than 512 bytes of data; that is
>> a bug in qmail and the author has never fixed it because he wants
>> you to use his DNS server software which also eliminates the issue
>> in a different way.
>
> Responses larger than 512 bytes are not supported over UDP and are
> rarely used. I saw some replies close to that long but none of them
> had the TC (truncation) bit set, so I don't think that's your issue
> either.

So what did you change, as it now works?

Harald

Re: Still not possible to send mail to domain libc.org

[Rich Felker]

On Fri, Apr 24, 2015 at 12:48:57AM +0200, Harald Becker wrote:
> On 24.04.2015 00:33, Rich Felker wrote:
> >On Thu, Apr 23, 2015 at 11:55:30PM +0200, Harald Becker wrote:
> >>Hi Rich,
> >>
> >>extending my search on qhe net I found the following:
> >>
> >>All of the senders experiencing the bounced messages mentioning
> >>cname lookup failure appear to be running the qmail mail server
> >>software.
> >
> >Again there are no CNAMEs involved.
> 
> I think several authors use the term CNAME when they see a name
> return like brightrain, which is not the sense of DNS CNAME :(

No, CNAME definitely means CNAME. There is no way to store an IP
address in an MX record. The form for IP addresses is completely
different than for names, and if other records like MX (vs just A) had
stored IP addresses, adding IPv6 to DNS would be a lot more
complicated than just adding AAAA records.

> >>Qmail, if not using a third party patch that was written in the late
> >>90’s, has an issue sending to domains whose name servers respond to
> >>DNS queries of type “ANY” with more than 512 bytes of data; that is
> >>a bug in qmail and the author has never fixed it because he wants
> >>you to use his DNS server software which also eliminates the issue
> >>in a different way.
> >
> >Responses larger than 512 bytes are not supported over UDP and are
> >rarely used. I saw some replies close to that long but none of them
> >had the TC (truncation) bit set, so I don't think that's your issue
> >either.
> 
> So what did you change, as it now works?

Nothing further. I suspect it was just a matter of changes propagating
to your ISP's nameservers so that they see the new records for the
libc.org domain.

Since my registrar seems to want to fix whatever's wrong, I might see
if we can reproduce the issue with another domain hosted with them so
as not to break libc.org for you again in the meantime. Let's take
that off-list though.

Rich

Re: Still not possible to send mail to domain libc.org

[Harald Becker]

Hi Rich !

On 24.04.2015 01:20, Rich Felker wrote:
> Nothing further. I suspect it was just a matter of changes propagating
> to your ISP's nameservers so that they see the new records for the
> libc.org domain.
>
> Since my registrar seems to want to fix whatever's wrong, I might see
> if we can reproduce the issue with another domain hosted with them so
> as not to break libc.org for you again in the meantime. Let's take
> that off-list though.

Let me know, if I can help you with the tests. It won't harm, if we get 
failures for libc.org again, as long as we can find the reason, and fix 
that in the final state.

Harald