24 Jun
2024
24 Jun
'24
10:33 p.m.
Hi folks
I'm running mail-in-a-box on a Bitfolk VPS.
https://mailinabox.email/
It's making the following complaint:
"This box's reverse DNS is currently aquitaine.richardskingdom.net
(IPv4) and 2001-ba8-1f1-f037-0-0-0-2.autov6rev.bitfolk.space (IPv6), but
it should be aquitaine.richardskingdom.net. Your ISP or cloud provider
will have instructions on setting up reverse DNS for this box."
This is with reverse DNS set to "automatic" in the Bitfolk panel.
The only other panel option seems to be to delegate the reverse IPv6
zones to my name server.
I'm using the mail-in-a-box built-in name server, however, and
delegating to that produces the following result:
"This box's reverse DNS is currently aquitaine.richardskingdom.net
(IPv4) and [Not Set] (IPv6), but it should be
aquitaine.richardskingdom.net ..."
I infer that mail-in-a-box name server is not setting reverse IPv6
records for itself.
There doesn't appear to be a way to tell mail-in-a-box to set the
reverse DNS correctly via its GUI - there is no option to add a custom
PTR record (other record types can be added).
I don't know what name server software is running under the hood, and
I'm loath to make config changes except via the GUI in case they get
overwritten when mail-in-a-box updates.
Can anyone advise me how to set my IPv6 reverse DNS to
aquitaine.richardskingdom.net?
I should note the mail server works (I am sending this message through
it) so this is only to make the error message go away (and possibly to
get IPv6 mail transportation working correctly).
If this sounds like an ignorant / nonsense request, congratulations, you
have detected successfully that I have no idea what I'm doing with IPv6...
Thanks in advance
Richard.
24 Jun
24 Jun
11:59 p.m.
Hi Richard,
On Mon, Jun 24, 2024 at 11:33:18PM +0100, Richard King via BitFolk Users wrote:
Can anyone advise me how to set my IPv6 reverse DNS
to
aquitaine.richardskingdom.net?
It seems to be a question of how mailinabox works, and I don't know
about that.
You've delegated 7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa to:
- ns1.aquitaine.richardskingdom.net
- a.authns.bitfolk.co.uk
- b.authns.bitfolk.com
- c.authns.bitfolk.com
but ns1.aquitaine.richardskingdom.net refuses my quesries:
```
$ dig -t soa 7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa @85.119.82.112
; <<>> DiG 9.16.48-Debian <<>> -t soa
7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa @85.119.82.112
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 60172
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 20 (Not Authoritative)
;; QUESTION SECTION:
;7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa. IN SOA
;; Query time: 0 msec
;; SERVER: 85.119.82.112#53(85.119.82.112)
;; WHEN: Mon Jun 24 23:46:51 UTC 2024
;; MSG SIZE rcvd: 75
```
If you don't intend for the whole Internet to query 85.119.82.112
then you should not delegate things to it or include it in the list
of NS records for the zone. It is fine for it to still be the
primary server, but it should not be publicly visible if you don't
intend to allow queries. That would be a "hidden primary".
If you do intend for the Internet to be able to query it then you
need to allow that by whatever means mailinabox offers. Perhaps it
is giving REFUSED because the zone name is wrong inside it? I don't
know. Does it just automatically generate its reverse zone name?
Querying the other servers that you have delegated to produces the
correct SOA, but that is to be expected as it's just the DNS
representation of what you've put in the Panel.
```
$ dig -t soa 7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa @a.authns.bitfolk.co.uk
; <<>> DiG 9.16.48-Debian <<>> -t soa
7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa @a.authns.bitfolk.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63251
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: a33414aeca0a05dc01000000667a067e46caa10d9906f637 (good)
;; QUESTION SECTION:
;7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa. IN SOA
;; AUTHORITY SECTION:
7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa. 86400 IN NS a.authns.bitfolk.co.uk.
7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa. 86400 IN NS b.authns.bitfolk.com.
7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa. 86400 IN NS c.authns.bitfolk.com.
7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa. 86400 IN NS ns1.aquitaine.richardskingdom.net.
;; Query time: 4 msec
;; SERVER: 2001:ba8:1f1:f085::53#53(2001:ba8:1f1:f085::53)
;; WHEN: Mon Jun 24 23:51:26 UTC 2024
;; MSG SIZE rcvd: 230
```
Again when querying for the exact record you require, I get REFUSED
from your actual server. Making the query against the other servers
will never work because you have not asked us to provide secondary
service for the zone `7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa`. Do
you want me to set that up now in the same manner as your other
domain?
If the only error here is that you are refusing all queries on your
nameserver then possibly us adding the zone as secondary will appear
to work because BitFolk's servers will start to answer the query.
However even then, 25% of the time queries will encounter some delay
as they pick your server that is refusing queries and have to retry
one of the others.
Hope that made some sense.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
26 Jun
26 Jun
9:43 p.m.
Hi Andy
Thanks for your detailed response.
On 25/06/2024 00:59, Andy Smith via BitFolk Users wrote:
ns1.aquitaine.richardskingdom.net refuses my quesries:
...
If you do intend for the Internet to be able to query
it then you
need to allow that by whatever means mailinabox offers. Perhaps it
is giving REFUSED because the zone name is wrong inside it? I don't
know. Does it just automatically generate its reverse zone name?
All the name server configuration has been done by mail-in-a-box. I have
only told it to add some extra A / AAAA records for a subdomain on a
different IP.
I have no idea why the software would set itself up as a name server,
provide instructions for configuring DNS to use it as a name server,
throw an error in its control panel if it is not configured as a name
server, and then refuse queries.
Probably I have done something wrong but I can't work out what.
Given that it configures a name server, and expects that server to be
used, I also have no idea why it doesn't configure reverse DNS for
itself in the way it requires - but it appears not to do so.
Some posts on the mail-in-a-box forums imply the solution is to edit the
running config manually to add the required PTR records - and just
remember to do that again every time you update the software.
Again when querying for the exact record you require,
I get REFUSED
from your actual server. Making the query against the other servers
will never work because you have not asked us to provide secondary
service for the zone `7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa`. Do
you want me to set that up now in the same manner as your other
domain?
That sounds like a good idea. Yes, please :)
If the only error here is that you are refusing all
queries on your
nameserver then possibly us adding the zone as secondary will appear
to work because BitFolk's servers will start to answer the query.
However even then, 25% of the time queries will encounter some delay
as they pick your server that is refusing queries and have to retry
one of the others.
Understood. I think I will try the mail-in-a-box forums next to see why
the name server might be refusing requests.
Cheers
Richard.
27 Jun
27 Jun
11:09 p.m.
Hi,
On Wed, Jun 26, 2024 at 10:43:50PM +0100, Richard King via BitFolk Users wrote:
Given that it configures a name server, and expects
that server to be used,
I also have no idea why it doesn't configure reverse DNS for itself in the
way it requires - but it appears not to do so.
Are you able to get a list of the domains it thinks it is
authoritative for? `7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa` should
be amongst them, but I do not think it currently is.
I added `7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa` as a secondary
domain on our servers, but 85.119.82.112 returns `NOTAUTH` when they
try to do an axfr, so I do not think this zone exists on your
server.
It's coming down to trying to understand how to get mail-in-a-box to
host an IPv6 reverse zone and populate it properly. I don't have any
experience of this software I'm afraid.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
28 Jun
28 Jun
12:22 a.m.
Hi Andy
On 28/06/2024 00:09, Andy Smith via BitFolk Users wrote:
Hi,
On Wed, Jun 26, 2024 at 10:43:50PM +0100, Richard King via BitFolk Users wrote:
You're right. It didn't exist. I (think) I added it manually this
evening, at the risk of mail-in-a-box overriding the config when it next
updates.
I now seem to be getting successful replies when querying the box directly.
$ host 2001:ba8:1f1:f037::2 ns1.aquitaine.richardskingdom.net
Using domain server:
Name: ns1.aquitaine.richardskingdom.net
Address: 2001:ba8:1f1:f037::2#53
Aliases:
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa
domain name pointer aquitaine.richardskingdom.net.
It's not currently working for the secondaries however.
$ host 2001:ba8:1f1:f037::2 a.authns.bitfolk.co.uk
Using domain server:
Name: a.authns.bitfolk.co.uk
Address: 85.119.80.222#53
Aliases:
Host
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa
not found: 2(SERVFAIL)
More hacking required!
Richard.
Given that it configures a name server, and
expects that server to be used,
I also have no idea why it doesn't configure reverse DNS for itself in the
way it requires - but it appears not to do so.
Are you able to get a list of the
domains it thinks it is
authoritative for? `7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa` should
be amongst them, but I do not think it currently is.
I added `7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa` as a secondary
domain on our servers, but 85.119.82.112 returns `NOTAUTH` when they
try to do an axfr, so I do not think this zone exists on your
server.
3:35 p.m.
Hi,
On Fri, Jun 28, 2024 at 01:22:47AM +0100, Richard King via BitFolk Users wrote:
I now seem to be getting successful replies when
querying the box directly.
$ host 2001:ba8:1f1:f037::2 ns1.aquitaine.richardskingdom.net
Using domain server:
Name: ns1.aquitaine.richardskingdom.net
Address: 2001:ba8:1f1:f037::2#53
Aliases:
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa
domain name pointer aquitaine.richardskingdom.net.
It's not currently working for the secondaries however.
Does the DNS server of mail-in-a-box have logs you can read?
We are getting REFUSED when we try to do an AXFR. It is a DNS
response, so it's not firewalling - it is the (lack of)
configuration in the DNS server.
If you can find how to allow our secondary servers to do AXFR then I
think this should all work correctly.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
5:08 p.m.
I am confused by the whole thing. How does woever is querying the rDNS know to ask your
server?
All the IPs I have (which I'm astonished to discover add up to nine different ones)
have their rDNS set by the ISP for the connection or by the company I lease the server
from. It is in their IP address block, not mine, so putting an entry on my dns server
won't help.
Or am I missing something?
On 28 Jun 2024 at 16:35, Andy Smith via BitFolk Users <users(a)mailman.bitfolk.com>
wrote:
Hi,
On Fri, Jun 28, 2024 at 01:22:47AM +0100, Richard King via BitFolk Users wrote:
I now seem to be getting successful replies when
querying the box directly.
$ host 2001:ba8:1f1:f037::2 ns1.aquitaine.richardskingdom.net
Using domain server:
Name: ns1.aquitaine.richardskingdom.net
Address: 2001:ba8:1f1:f037::2#53
Aliases:
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa
domain name pointer aquitaine.richardskingdom.net.
It's not currently working for the secondaries however.
Does the DNS server of mail-in-a-box have logs you can read?
We are getting REFUSED when we try to do an AXFR. It is a DNS
response, so it's not firewalling - it is the (lack of)
configuration in the DNS server.
If you can find how to allow our secondary servers to do AXFR then I
think this should all work correctly.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
BitFolk Users mailing list <users(a)mailman.bitfolk.com>
You're subscribed as <iain(a)hairydog.co.uk>
Unsubscribe:
<https://mailman.bitfolk.com/mailman/postorius/lists/users.mailman.bitfolk.com/>
or send an email to <users-leave(a)mailman.bitfolk.com>
5:55 p.m.
Hi,
On Fri, Jun 28, 2024 at 06:08:14PM +0100, iain via BitFolk Users wrote:
I am confused by the whole thing. How does woever is
querying the rDNS know to ask your server?
There is a delegation at BitFolk's servers that lists the
nameservers provided by Richard at https://panel.bitfolk.com/dns/
All the IPs I have (which I'm astonished to
discover add up to
nine different ones) have their rDNS set by the ISP for the
connection or by the company I lease the server from. It is in
their IP address block, not mine, so putting an entry on my dns
server won't help.
For a single IPv4 it is one entry in BitFolk's reverse zone file so
it's easier to do it there. When you put the data for that in at
https://panel.bitfolk.com/dns/ that is basically what it does.
For an IPv6 /64 there can be many entries, in theory up to 2⁶⁴ - 1.
Reverse DNS zones are designed to be delegated on nibble boundaries, so we
delegate the reverse DNS for the entire /64 to customer's own choice
of servers.
The issue here is Richard's need to (work out how to) serve the zone
7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa from somewhere. Just doing
that would not do anything unless BitFolk delegates to it, but that
part is working okay.
By default BitFolk answers reverse IPv6 queries for customer space
on its own servers in a deterministic fashion. This is the "auto"
method. See:
https://tools.bitfolk.com/wiki/IPv6#Reverse_DNS
for more info.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
29 Jun
29 Jun
9:13 p.m.
Hi Andy
On 28/06/2024 16:35, Andy Smith via BitFolk Users wrote:
We are getting REFUSED when we try to do an AXFR. It
is a DNS
response, so it's not firewalling - it is the (lack of)
configuration in the DNS server.
I learned that mail-in-a-box uses NSD for its name server.
After a bit of trial and error I believe I have now configured the zone
correctly under the hood.
The Bitfolk monitoring system reports a recovery and the mail-in-a-box
self-test reports reverse DNS is now set correctly for both versions of IP.
Yay!
My custom zone is configured in its own file under /etc/nsd/nsd.conf.d/,
and the main NSD config file imports everything in that folder, so I'm
hoping this won't get overridden on upgrades.
I am still seeing some errors in my syslog when NSD restarts though.
===== BEGIN LOG EXTRACT =====
notice: nsd starting (NSD 4.3.9)
notice: nsd started (NSD 4.3.9), pid 2602
error: xfrd: zone 7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa: received
notify response error REFUSED from 2001:ba8:1f1:f085::53
error: xfrd: zone richardskingdom.net: received notify response error
REFUSED from 2001:ba8:1f1:f085::53
... (repeats)
error: xfrd: zone 7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa: max notify
send count reached, 2001:ba8:1f1:f085::53 unreachable
error: xfrd: zone richardskingdom.net: max notify send count reached,
2001:ba8:1f1:f085::53 unreachable
===== END LOG EXTRACT =====
The same pattern repeats for each secondary name server IP address (both
IPv6 and IPv4)
Any ideas what might be causing these errors?
Cheers
Richard.
30 Jun
30 Jun
12:38 p.m.
Hi,
On Sat, Jun 29, 2024 at 10:13:45PM +0100, Richard King via BitFolk Users wrote:
After a bit of trial and error I believe I have now
configured the zone
correctly under the hood.
The Bitfolk monitoring system reports a recovery and the mail-in-a-box
self-test reports reverse DNS is now set correctly for both versions of IP.
Yes it all seems good now. 👍
I am still seeing some errors in my syslog when NSD
restarts though.
In short these can be ignored for now.
error: xfrd: zone
7.3.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa: received notify
response error REFUSED from 2001:ba8:1f1:f085::53
Explanation:
When you make a change to your zone, your NSD sends put NOTIFY
messages to tell secondary servers that they should check for that
update. I expect that by default it sends NOTIFY messages to every
IP address of every server listed in the NS set of your zone.
Due to a limitation on our side at the moment you can only have one
primary NS server IP address set for a secondary DNS zone, so we use
the main IPv4 address of your VM¹. We only accept NOTIFY messages
from that IP.
Therefore when your VM sends out NOTIFY messages on IPv4, that works
and we do an AXFR. That has happened and that's why things work now.
But when it sends them out on IPv6 we reject them because they're
not from addresses that we expect.
It is not terrible to just accept NOTIFY messages; all they do is
cause us to check the configured primary server for updates (yours).
So maybe we could loosen things up a bit and do that.
Or you could configure your NSD to *only* send NOTIFY to us at
85.119.80.222.
Or just do nothing as it isn't a big problem.
Thanks,
Andy
¹ People who really want to be IPv6-only can at the moment have this
set to an IPv6 address instead, but then transfers and notifies
don't work over IPv4.
--
https://bitfolk.com/ -- No-nonsense VPS hosting
25 Jun
25 Jun
7:12 a.m.
On Mon 24 Jun 2024 23:33:18 GMT, Richard King via BitFolk Users wrote:
There doesn't appear to be a way to tell
mail-in-a-box to set the
reverse DNS correctly via its GUI - there is no option to add a custom
PTR record (other record types can be added).
If the interface doesn’t let you set a PTR, then it’s probably a better
idea to stop using its DNS server and host it your self. knot works
pretty well for example, and has the automatic DNSSEC management
integrated.
--
Alarig
26 Jun
26 Jun
9:50 p.m.
On 25/06/2024 08:12, Alarig Le Lay via BitFolk Users wrote:
On Mon 24 Jun 2024 23:33:18 GMT, Richard King via
BitFolk Users wrote:
Mail-in-a-box takes over the whole box on which it runs, and includes
its own name server, so configuring a different name server on the same
box manually probably won't work very well.
For example I'd expect it to get overridden or conflicted with when
mail-in-a-box is updated.
I don't have anywhere else convenient to host DNS at the moment however
I guess I could use a third-party provider.
Can anyone recommend such a service from personal experience?
Cheers
Richard.
There doesn't appear to be a way to tell
mail-in-a-box to set the
reverse DNS correctly via its GUI - there is no option to add a custom
PTR record (other record types can be added).
If the interface doesn’t let you set a PTR, then it’s probably a better
idea to stop using its DNS server and host it your self. knot works
pretty well for example, and has the automatic DNSSEC management
integrated.
69
days inactive
76
days old
12 comments
4 participants
participants (4)
-
Alarig Le Lay -
Andy Smith -
iain -
Richard King