Re: [exim] Potential logic error in retry handling for IPv4+…

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Marc Haber
Data:  
Para: exim-users
Asunto: Re: [exim] Potential logic error in retry handling for IPv4+IPv6 hosts
On Mon, 5 Dec 2005 14:27:43 +0000 (GMT), Philip Hazel
<ph10@???> wrote:
>I think we are stuck until there is more evidence.


This is actually an issue with how exim handles DNS answers. Just
imagine that the A record for a target host name expires in the
resolver's cache some time earlier than the AAAA record. When exim now
queries for the MX record, the resolver returns the data which it
still has cached, which is the AAAA record, in the additional section.

Exim will believe the information from the additional section, and try
delivering there.

Here is a script which can be used to reproduce the issue. I believe
this is independent of whether the host actually has ipv6
connectivity. The script should be run only once at a time against the
same resolving DNS server. The domain brokenv6.zugschlus.de and the
host name mailgate.brokenv6.zugschlus.de have been especially
configured for this demonstration with a TTL of 120 seconds, and
nobody@??? is available for tests - messages to that
address are accepted and blackholed.

#!/bin/bash

withecho() {
echo $@
$@
}

echo have the prepared DNS entries expire from the cache TTL 120
withecho sleep 180

echo pull A record into cache
withecho dig mailgate.brokenv6.zugschlus.de A > /dev/null

echo have records expiration time deviate
withecho sleep 60

echo output 1, should show A and AAAA in ADDITIONAL SECTION
withecho dig brokenv6.zugschlus.de MX

echo exim will deliver message to v4 and v6
withecho exim -bt nobody@???

echo have A record expire
withecho sleep 65

echo output 2, should show only AAAA record in ADDITIONAL SECTION
withecho dig brokenv6.zugschlus.de MX

echo exim will now only try delivery to v6
withecho exim -bt nobody@???

Here is the script output, edited to the relevant parts:

|[19/516]mh@ivanova:~/enyo$ ./reproduce
|have the prepared DNS entries expire from the cache TTL 120
|sleep 180
|pull A record into cache
|have records expiration time deviate
|sleep 60
|output 1, should show A and AAAA in ADDITIONAL SECTION
|dig brokenv6.zugschlus.de MX
|
|; <<>> DiG 9.3.1 <<>> brokenv6.zugschlus.de MX
|;; global options:  printcmd
|;; Got answer:
|;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46049
|;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 4
|
|;; ANSWER SECTION:
|brokenv6.zugschlus.de.  120     IN      MX      10 mailgate.brokenv6.zugschlus.de.
|
|;; ADDITIONAL SECTION:
|mailgate.brokenv6.zugschlus.de. 59 IN   A       217.151.83.1
|mailgate.brokenv6.zugschlus.de. 120 IN  AAAA    2001:14b0:202:f::1:19
|
|exim will deliver message to v4 and v6
|exim -bt nobody@???
|R: dnslookup for nobody@???
|nobody@???

|  router = dnslookup, transport = remote_smtp
|  host mailgate.brokenv6.zugschlus.de [2001:14b0:202:f::1:19] MX=10
|  host mailgate.brokenv6.zugschlus.de [217.151.83.1]          MX=10

|have A record expire
|sleep 65
|output 2, should show only AAAA record in ADDITIONAL SECTION
|dig brokenv6.zugschlus.de MX
|
|; <<>> DiG 9.3.1 <<>> brokenv6.zugschlus.de MX
|;; global options:  printcmd
|;; Got answer:
|;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64098
|;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 3
|
|;; ANSWER SECTION:
|brokenv6.zugschlus.de.  55      IN      MX      10 mailgate.brokenv6.zugschlus.de.
|
|;; ADDITIONAL SECTION:
|mailgate.brokenv6.zugschlus.de. 55 IN   AAAA    2001:14b0:202:f::1:19
|
|;; Query time: 1 msec
|;; SERVER: 81.169.148.34#53(81.169.148.34)
|;; WHEN: Sat Dec 17 15:20:17 2005
|;; MSG SIZE  rcvd: 238
|
|exim will now only try delivery to v6
|exim -bt nobody@???
|R: dnslookup for nobody@???
|nobody@???

| router = dnslookup, transport = remote_smtp
| host mailgate.brokenv6.zugschlus.de [2001:14b0:202:f::1:19] MX=10

|[20/516]mh@ivanova:~/enyo$     


If the v6 host is never reachable, as it is for a host that doesn't
have ipv6 connectivity, this leads to messages being flagged as
undeliverable.

Thanks to Florian for discussion on IRC which led to this explanation
of things happening.

Greetings
Marc

-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834