[dns-operations] DNS voodoo at chaseonline.chase.com break check_sender_ns_access
Paul Vixie
paul at vix.com
Sat Jan 6 15:06:10 UTC 2007
seen on the postfix-users mailing list, thx to gadi evron for fwd'ing to me.
----- Forwarded message -----
From: Victor Duchovni <Victor.Duchovni at MorganStanley.com>
To: postfix-users at postfix.org
Date: Fri, 5 Jan 2007 11:13:11 -0500
Subject: DNS voodoo at chaseonline.chase.com break check_sender_ns_access...
DNS (loadbalancer) voodoo at chaseonline.chase.com. Parent zone NS
records for child don't match child zone authoritative NS records, which
have a TTL of 0! The supplied glue record in the child zone also has a
TTL of zero, and subsequent "A" record lookups for the NS host timeout!
This breaks check_sender_ns_access, and causes mail from them to time out.
Jan 4 00:03:59 amnesiac postfix/smtpd[26732]:
connect from smtpext45.bankone.com[159.53.110.174]
Jan 4 00:05:15 hqvsbh1 postfix/smtpd[26732]: warning:
Unable to look up NS host dns2.chaseonline.chase.com for
Sender address smccs at chaseonline.chase.com:
Temporary failure in name resolution
Jan 4 00:05:15 hqvsbh1 postfix/smtpd[26732]: 7CDE3807C:
client=smtpext45.bankone.com[159.53.110.174]
Jan 4 00:05:15 hqvsbh1 postfix/smtpd[26732]: lost connection after DATA
from smtpext45.bankone.com[159.53.110.174]
Jan 4 00:05:15 hqvsbh1 postfix/smtpd[26732]: disconnect
from smtpext45.bankone.com[159.53.110.174]
The timeout after "DATA" is because they PIPELINE as follows:
EHLO client<CRLF> Push, Wait for answer
MAIL FROM:<sender><CRLF> Push, Wait for answer
RCPT TO:<us>CRLF>DATA<CRLF> Push, Wait for two answers
It takes us ~75 seconds to timeout multiple attempts to find the IP
address of the NS host , but they drop the SMTP session after 60.
$ c=chase.com; co=chaseonline.$c; \
dig +noall +ans +auth +add -t ns $c; \
ns0=$(dig +short -t ns $c | head -n 1); \
printf "--- %s via %s ---\n" $co $ns0; \
ans=$(dig +noall +ans +auth +add -t ns $co @$ns0); echo "$ans"; \
ns1=$(echo "$ans" | awk '$4 == "NS" {print $NF; exit}'); \
printf "--- %s via %s ---\n" $co $ns1; \
ans=$(dig +noall +ans +auth +add -t ns $co @$ns1); echo "$ans"; \
ns2=$(echo "$ans" | awk '{print $NF; exit}'); \
ip2=$(echo "$ans" | awk '$4 == "A" {print $NF; exit}'); \
printf "--- %s via %s ---\n" $ns2 $ns1; \
time dig +noall +ans +add -t a $ns2 @$ns1; \
printf "--- %s via %s ---\n" $co $ip2; \
dig +noall +ans +auth +add -t ns $co @$ip2; \
printf "--- %s via %s ---\n" $ns2 $ip2; \
dig +noall +ans +auth +add -t a $ns2 @$ip2
chase.com. 295 IN NS ns06.jpmorganchase.com.
chase.com. 295 IN NS ns1.jpmorganchase.com.
chase.com. 295 IN NS ns2.jpmorganchase.com.
chase.com. 295 IN NS ns05.jpmorganchase.com.
ns1.jpmorganchase.com. 296 IN A 159.53.46.53
ns2.jpmorganchase.com. 296 IN A 159.53.78.53
ns05.jpmorganchase.com. 296 IN A 159.53.110.152
ns06.jpmorganchase.com. 296 IN A 159.53.110.153
--- chaseonline.chase.com via ns06.jpmorganchase.com. ---
chaseonline.chase.com. 600 IN NS dbes1gbx01.bankone.com.
chaseonline.chase.com. 600 IN NS dbws1gbx01.bankone.com.
chaseonline.chase.com. 600 IN NS drds1gbx02.bankone.com.
dbes1gbx01.bankone.com. 300 IN A 159.53.46.155
dbws1gbx01.bankone.com. 300 IN A 159.53.78.155
drds1gbx02.bankone.com. 300 IN A 159.53.110.154
--- chaseonline.chase.com via dbes1gbx01.bankone.com. ---
chaseonline.chase.com. 0 IN NS dns1.chaseonline.chase.com.
dns1.chaseonline.chase.com. 0 IN A 170.148.92.10
--- dns1.chaseonline.chase.com. via dbes1gbx01.bankone.com. ---
;; connection timed out; no servers could be reached
real 0m10.042s
user 0m0.011s
sys 0m0.013s
--- chaseonline.chase.com via 170.148.92.10 ---
chaseonline.chase.com. 0 IN NS dns1.chaseonline.chase.com.
dns1.chaseonline.chase.com. 0 IN A 170.148.92.10
--- dns1.chaseonline.chase.com. via 170.148.92.10 ---
dns1.chaseonline.chase.com. 0 IN A 170.148.92.10
chaseonline.chase.com. 0 IN NS dns1.chaseonline.chase.com.
dns1.chaseonline.chase.com. 0 IN A 170.148.92.10
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
--------
More information about the dns-operations
mailing list