Bug 7739 - ns-kam.surriel.com returning NXDOMAIN for valid names
Summary: ns-kam.surriel.com returning NXDOMAIN for valid names
Status: RESOLVED INVALID
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 3.4.0
Hardware: PC Linux
: P2 major
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-19 16:02 UTC by Brian J. Murrell
Modified: 2019-07-19 17:10 UTC (History)
3 users (show)


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brian J. Murrell 2019-07-19 16:02:28 UTC 
From a spamd -d debug:

Fri Jul 19 10:27:35 2019 [3297] dbg: dns: dns reply to 16535/IN/A/224.32.166.188.psbl.surriel.com: NXDOMAIN

The DNS query and answer for it:

Frame 174325: 102 bytes on wire (816 bits), 102 bytes captured (816 bits) on interface 3
Ethernet II, Src: AsustekC_c4:92:6a (00:1f:c6:c4:92:6a), Dst: Netgear_f5:1e:4a (6c:b0:ce:f5:1e:4a)
Internet Protocol Version 4, Src: server.example.com (10.75.22.247), Dst: ns-kam.surriel.com (38.124.232.21)
User Datagram Protocol, Src Port: 63212 (63212), Dst Port: domain (53)
Domain Name System (query)
    Transaction ID: 0x14ff
    Flags: 0x0010 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...1 .... = Non-authenticated data: Acceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        224.32.166.188.psbl.surriel.com: type A, class IN
            Name: 224.32.166.188.psbl.surriel.com
            [Name Length: 31]
            [Label Count: 7]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 4096
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x8000
                1... .... .... .... = DO bit: Accepts DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0
    [Response In: 174337]
Frame 174337: 140 bytes on wire (1120 bits), 140 bytes captured (1120 bits) on interface 3
Ethernet II, Src: Netgear_f5:1e:4a (6c:b0:ce:f5:1e:4a), Dst: AsustekC_c4:92:6a (00:1f:c6:c4:92:6a)
Internet Protocol Version 4, Src: ns-kam.surriel.com (38.124.232.21), Dst: server.example.com (10.75.22.247)
User Datagram Protocol, Src Port: domain (53), Dst Port: 63212 (63212)
Domain Name System (response)
    Transaction ID: 0x14ff
    Flags: 0x8403 Standard query response, No such name
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0011 = Reply code: No such name (3)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 1
    Additional RRs: 0
    Queries
        224.32.166.188.psbl.surriel.com: type A, class IN
            Name: 224.32.166.188.psbl.surriel.com
            [Name Length: 31]
            [Label Count: 7]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Authoritative nameservers
        psbl.surriel.com: type SOA, class IN, mname rbldnsd.surriel.com
            Name: psbl.surriel.com
            Type: SOA (Start Of a zone of Authority) (6)
            Class: IN (0x0001)
            Time to live: 600
            Data length: 37
            Primary name server: rbldnsd.surriel.com
            Responsible authority's mailbox: root.rbldnsd.surriel.com
            Serial Number: 1563546242
            Refresh Interval: 600 (10 minutes)
            Retry Interval: 600 (10 minutes)
            Expire limit: 86400 (1 day)
            Minimum TTL: 600 (10 minutes)
    [Request In: 174325]
    [Time: 0.038576000 seconds]

A few minutes later from a spamassassin CLI examination for the same spam:

Frame 229796: 102 bytes on wire (816 bits), 102 bytes captured (816 bits) on interface 3
Ethernet II, Src: AsustekC_c4:92:6a (00:1f:c6:c4:92:6a), Dst: Netgear_f5:1e:4a (6c:b0:ce:f5:1e:4a)
Internet Protocol Version 4, Src: server.example.com (10.75.22.247), Dst: psbl.org (96.67.55.151)
User Datagram Protocol, Src Port: 29685 (29685), Dst Port: domain (53)
Domain Name System (query)
    Transaction ID: 0x9238
    Flags: 0x0010 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...1 .... = Non-authenticated data: Acceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        224.32.166.188.psbl.surriel.com: type A, class IN
            Name: 224.32.166.188.psbl.surriel.com
            [Name Length: 31]
            [Label Count: 7]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 4096
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x8000
                1... .... .... .... = DO bit: Accepts DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0
    [Response In: 229869]
Frame 229869: 150 bytes on wire (1200 bits), 150 bytes captured (1200 bits) on interface 3
Ethernet II, Src: Netgear_f5:1e:4a (6c:b0:ce:f5:1e:4a), Dst: AsustekC_c4:92:6a (00:1f:c6:c4:92:6a)
Internet Protocol Version 4, Src: psbl.org (96.67.55.151), Dst: server.example.com (10.75.22.247)
User Datagram Protocol, Src Port: domain (53), Dst Port: 29685 (29685)
Domain Name System (response)
    Transaction ID: 0x9238
    Flags: 0x8400 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 1
    Authority RRs: 2
    Additional RRs: 0
    Queries
        224.32.166.188.psbl.surriel.com: type A, class IN
            Name: 224.32.166.188.psbl.surriel.com
            [Name Length: 31]
            [Label Count: 7]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Answers
        224.32.166.188.psbl.surriel.com: type A, class IN, addr 127.0.0.2
            Name: 224.32.166.188.psbl.surriel.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 2100
            Data length: 4
            Address: 224.32.166.188.psbl.surriel.com (127.0.0.2)
    Authoritative nameservers
        psbl.surriel.com: type NS, class IN, ns ns-kam.surriel.com
            Name: psbl.surriel.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 86400
            Data length: 9
            Name Server: ns-kam.surriel.com
        psbl.surriel.com: type NS, class IN, ns rbldnsd.surriel.com
            Name: psbl.surriel.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 86400
            Data length: 10
            Name Server: rbldnsd.surriel.com
    [Request In: 229796]
    [Time: 0.066822000 seconds]

Why the difference/discrepancy?
Comment 1 Bill Cole 2019-07-19 16:16:43 UTC 
This is not a SpamAssassin bug. 

Contact the operators of the PSBL service and its nameservers if they are answering inconsistently.
Comment 2 Bill Cole 2019-07-19 16:36:56 UTC 
Slightly longer answer: 

PSBL appears to update its SOA serial number every 5 minutes, while the zone is deemed valid for 10min and each record for 35min. In the 1st query you showed, the timestamp was 3min after the time implied by the SOA serial, when talking to a secondary server. it is certain that the zone was updated less than "a few minutes later" when you asked the master server.
Comment 3 Kevin A. McGrail 2019-07-19 16:39:07 UTC 
For the record, ns-kam.surriel.com  is my mirror.  We serve the zone as delivered to us.
Comment 4 Brian J. Murrell 2019-07-19 16:46:21 UTC 
Given:

/var/lib/spamassassin/3.004000/updates_spamassassin_org/72_active.cf:header   RCVD_IN_PSBL  eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')

and:

# host psbl.surriel.com.
psbl.surriel.com has address 96.67.55.151

Is some kind of load-balancing going on with psbl.surriel.com.?
Comment 5 Kevin A. McGrail 2019-07-19 16:47:50 UTC 
Looks like simplistic DNS based record:

dig -t ns psbl.surriel.com

;; QUESTION SECTION:
;psbl.surriel.com.              IN      NS

;; ANSWER SECTION:
psbl.surriel.com.       2867    IN      NS      ns-kam.surriel.com.
psbl.surriel.com.       2867    IN      NS      rbldnsd.surriel.com.
Comment 6 Bill Cole 2019-07-19 17:10:11 UTC 
(In reply to Brian J. Murrell from comment #4)
> Given:
> 
> /var/lib/spamassassin/3.004000/updates_spamassassin_org/72_active.cf:header 
> RCVD_IN_PSBL  eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')
> 
> and:
> 
> # host psbl.surriel.com.
> psbl.surriel.com has address 96.67.55.151
> 
> Is some kind of load-balancing going on with psbl.surriel.com.?

The A record (the default type queried by 'host') of a zone's name is entirely irrelevant to how other names are resolved under that zone. 

As Kevin has noted, the name servers for a zone (e.g. psbl.surriel.com) are published as NS records. Due to the way zone data is updated and distributed, it is always possible for there to be brief inconsistencies between different name servers and this is particularly common with DNSBLs, which have relatively short time-to-live values on individual records and on whole zones.