Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 May 2002 12:25:58 -0500
From:      Damon Anton Permezel <dap@damon.com>
To:        Peter Pentchev <roam@ringlet.net>
Cc:        freebsd-qa@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG
Subject:   Re: 4.6-* sendmail misfeatures
Message-ID:  <20020520122558.F962@damon.com>
In-Reply-To: <20020520191546.D349@straylight.oblivion.bg>; from roam@ringlet.net on Mon, May 20, 2002 at 07:15:46PM %2B0300
References:  <20020520105154.E962@damon.com> <20020520191546.D349@straylight.oblivion.bg>

next in thread | previous in thread | raw e-mail | index | archive | help
It is not a matter of a timeout.
The "A ?" come back fine.
`dig' and 'nslookup' both resolve the name -- there is no timeout.
`ping' works, for example.

Because sendmail "correctly" (aka: anal-retentively) adheres to a
protocol, it flags this as an error, and doesn't attempt to try the
"A ?" query.  This means that the outgoing mail sits in the queue forever.

This is not a particularly useful default behavior.

I have no control over austinenergy.com's DNS.  It has nothing to do
with my ISP.  I am my own ISP, which is why I spent some time looking
into this failure, to determine if it was a problem on my end.  It is,
because I installed a broken sendmail.

The success of the internet has often been attributed in part to the
philosophy stated in RFC 791.  I quote:

	"The implementation of a protocol must be robust.  Each
	 implementation must expect to interoperate with others created
	 by different individuals. ....
	 In general, an implementation must be conservative in its sending
	 behavior, and liberal in its receiving behavior."

Burying a "we are correct" manifesto in some README and enforcing
a default "correct" behavior results in breaking email connectivity.

It would be better to, perhaps, default to working, which I would
prefer over it being silently, secretly and smugly "correct".
If there really is a need to convert the world, syslog warning
entries might be a less unfriendly way to alert the unwashed masses
of the egregious violations of "correctness".

Cheers,
Damon.

On Mon, May 20, 2002 at 07:15:46PM +0300, Peter Pentchev wrote:
> On Mon, May 20, 2002 at 10:51:54AM -0500, Damon Anton Permezel wrote:
> > Since upgrading from 4.5 to 4.6-*, I have had problems exchanging
> > email with a correspondent at "austinenergy.com".  It shows up as:
> > 
> > 	% echo hi | mail -v no.such.user@austinenergy.com
> > 	austinenergy.com: Name server timeout
> > 	no.such.user@austinenergy.com... Transient parse error -- message queued for future delivery
> > 	no.such.user@austinenergy.com... queued
> > 
> > I have tracked this down to the fact that sendmail is using a IPv6-style
> > lookup request.  It is a "AAAA ?" rather than a "A ?" (in tcpdump-esque).
> 
> [CC'd to -qa; this seems to be a usability problem, we are in a release
>  code freeze, which mostly makes it a QA problem.]
> 
> What exactly is the tcpdump output that you have been getting?
> It seems to me that, at least from my end, it is a simple matter
> of a timeout - the nameserver for austinenergy.com is listed
> from the gTLD servers as bolt.electric.austin.tx.us, and the nameservers
> for electric.austin.tx.us seem to not reply to any requests at all:
> nslookup, dig, dnsip, dnsipq all return either a timeout or
> a 'connection refused', which is mostly synonymous to a timeout.
> 
> The fact that you see an AAAA query from sendmail is due to its (correct)
> behavior of trying an AAAA query before an A one, so as to prefer an IPv6
> AAAA record to an IPv4 A record.  The fact that sendmail does not even
> try an A query is due to its (correctly) assuming that something is wrong
> with the server - temporarily - because it received a SERVFAIL response.
> The SERVFAIL response (which means exactly as it says, a server failure,
> which is assumed to be a temporary condition) is returned by either your
> FreeBSD system's resolver library, or your ISP's nameserver, simply
> because, well, because the server failed (see above about the timeouts).
> 
> > Further investigation dug up this manifesto in the sendmail README:
> > 
> > 	When attempting to canonify a hostname, some broken name
> > 	servers will return SERVFAIL (a temporary failure) on T_AAAA
> > 	(IPv6) lookups.  If you want to excuse this behavior, include
> > 	WorkAroundBrokenAAAA in ResolverOptions.  However, instead,
> > 	we recommend catching the problem and reporting it to the
> > 	name server administrator so we can rid the world of broken
> > 	name servers.
> > 
> > So, in violation of the networking "be liberal in what you accept and
> > conservative in what you produce", sendmail in it's new form will have many
> > perplexed sysadmins spending lots of time tracking down these mysterious
> > failures.
> > 
> > I suggest that the version of sendmail configs shipped with FreeBSD
> > should default to having WorkAroundBrokenAAAA set by default.
> 
> Just a question: have you tried it with this option, and did it work?
> That is, did you get a response to an A query that you did not get
> to an AAAA?  Once again, can you post some tcpdump output?
> 
> G'luck,
> Peter
> 
> -- 
> Peter Pentchev	roam@ringlet.net	roam@FreeBSD.org
> PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
> Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
> This sentence contradicts itself - or rather - well, no, actually it doesn't!



-- 
--
Damon Permezel
dap@damon.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-qa" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020520122558.F962>