[Top] [All Lists]

Re: BCP for handling DNS SERVFAIL results

2005-11-26 13:51:48

Hi Hector,
At 11:18 25-11-2005, Hector Santos wrote:
This week, I ran across a particular new customer setup with an email domain
that he hadn't created a MX record yet.  He was using a sub domain,

The host resolves.  It's valid as there is an A record.

Of course, the SMTP client should:

    - Do a MX query
    - if none result, do a A record query

The problem is that I found while some other DNS servers return NOERROR, my
DNS server returned SERVFAIL to the MX query.

SERVFAIL is returned if the DNS server cannot process the query.

Here is what I found on the net as four different answers:

1) SendMail Configuration/New Behavior

 However, if the A or MX record lookup for the domain returns a
 "SERVFAIL," Sendmail will queue the message, believing it has
 encountered a transient DNS problem. For example, if a domain has a
 valid A record but returns a "SERVFAIL" when queried for an MX record
 (instead of "NOERROR" with an empty answer section), Sendmail will
 queue the message. You should contact the remote name server
 administrator in order to fix these problems."

SERVFAIL is a treated as a temporary failure. There may be a problem with the authoritative servers or the DNS server which is being queried. Previously, sendmail did not enforce these DNS checks.

2) Use Multiple DNS server.

That's not really a solution as you can still get SERVFAIL in some cases. The best practice however is to have more than one authoritative DNS server for redundancy. They should have diverse paths. Each DNS is in a different geographical location.

3) Lame Delegation

I saw other comments pointing it to be mostly a DNS configuration issue,
Lame Delegation?

That's a different issue. You should only list DNS servers which are authoritative for the domain.

4) Ignore SERVFAIL?

Some just said that the SMTP client should be looking at SERVFAIL as a

No, see above.  You may lose mail if you rejected based on DNS failures.

I have a second DNS server so the result was found at my secondary UUNET
server.  But in general, I am trying to see why I got the SERVFAIL error in
the first place and in general for customers who might just have 1 DNS
server, how a SERVFAIL should be handled.  We are querying it. So it not a
matter of lost mail.

Query the authoritative servers and see whether you get a SERVFAIL. If you don't, flush the cache and query your DNS server. BTW, truncated DNS replies can cause SERVFAIL. Misconfigured firewalls can also affect DNS responses.