| Subject: | Misbehaving DNS servers causing very long query time |
Look at the mail domain "gfyuj.com":
1) There is a TXT record with an include: statement referring to itself:
$ dig +short -t txt gfyuj.com
"v=spf1 include:gfyuj.com -all"
2) The DNS server of gfyuj.com gives a timeout when queried for a SPF
record:
$ # time dig +short -t spf gfyuj.com
;; connection timed out; no servers could be reached
real 0m15.033s
user 0m0.010s
sys 0m0.000s
The consequence is that a SPF query takes more than 5 minutes!
# time ./spfquery --mfrom iiii@gfyuj.com --ip 64.52.10.186
permerror
gfyuj.com ... gfyuj.com: Maximum DNS-interactive terms limit (10) exceeded
gfyuj.com ... gfyuj.com: Maximum DNS-interactive terms limit (10) exceeded
Received-SPF: permerror (gfyuj.com ... gfyuj.com: Maximum
DNS-interactive terms
limit (10) exceeded) receiver=ninive; identity=mailfrom;
envelope-from="iiii@gfyuj.com"; client-ip=64.52.10.186
real 5m30.625s
user 0m0.130s
sys 0m0.020s
Even using a caching only DNS server won't help, because the timeout
values are not cached (at least not with Bind).
Maybe a total timeout for the complete querying / checking of a mail
domain could be introduced?
Note that this is related to this other bug report, but made worse
by the use of the include statement:
https://bugs.launchpad.net/postfix-policyd-spf-perl/+bug/161133