[rbldnsd] RBLDNS almost ready but something is missing
Andrea Riguardi
riga at spamteq.com
Thu Apr 17 20:25:39 MSK 2014
On 17/04/14 17:54, Alejandro Lengua Vega wrote:
> Hello,
> We have successfully installed RBLDNSD and have started to make some testing
> adding some IPs to the blacklist, however it seems that after
> configuring Exim and
> other email servers they are not reading the information from my RBL why?
For help with exim config you should ans on exim lists.
However....
> In the following lines you can see some of the tests I made:
>
>
> root at s3 [~]# host 12.224.215.95.rbl.enlanube.pe rbl.enlanube.pe
...here, you are explicitly contacting the system named "rbl.enlanube.pe"
dig a +short rbl.enlanube.pe
162.243.209.40
and asking it for 12.224.215.95.rbl.enlanube.pe.
So, if rbldnsd is running on 162.243.209.40, it will work; and it does.
But in order to be able to query it without *explicitly* knowing where
rbldnsd is running, proper DNS delegations need to be in place; so, the
authoritative DNS for "enlanube.pe" need to contain a proper DNS
delegation for "rbl.enlanube.pe", in the form of NS records.
If I ask them I get this:
$ dig +norec +noqu ns rbl.enlanube.pe. @dns1.stabletransit.com.
[...]
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; ANSWER SECTION:
rbl.enlanube.pe. 300 IN NS 162.243.209.40.
This is simply wrong.
An NS record can only point to an A or an AAAA record, not to an IP.
On the other side, you have a A record named just like the zone rbldnsd
is expected to serve:
$ dig +norec +noqu a rbl.enlanube.pe. @dns1.stabletransit.com.
[...]
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; AUTHORITY SECTION:
rbl.enlanube.pe. 300 IN NS 162.243.209.40.
Avoid this: resolvers usually expect A records named under a delegated
sub-zone to be contained by the child zone, not by the parent; unless
you know exactly what you're doing, this config will cause you troubles.
Instead, edit your zone for enlanube.pe, remove both the A and the
current NS record for rbl.enlanube.pe and create these instead:
dnsbl.enlanube.pe. IN A 162.243.209.40
rbl.enlanube.pe. IN NS dnsbl.enlanube.pe.
(Of course, you can change "dnsbl.enlanube.pe" with any other name, just
avoid names inside "rbl.enlanube.pe".)
You'll also need to create the same NS record within the zone served by
rbldnsd.
FWIW, none of the above is rbldnsd-specific: if you were delegating a
subzone to any other DNS server you'd need to do exactly the same steps.
More information about the rbldnsd
mailing list