netbsd-help: Problems w/local DNS & postfix

Subject: Problems w/local DNS & postfix
To: None <netbsd-help@NetBSD.org>
From: Paul Newhouse <newhouse@rockhead.com>
List: netbsd-help
Date: 11/26/2006 10:34:02
I'm running postfix 2.3.3 on NetBSD 3.0.1.  

I have the following setup:

    172.16.89.45                          172.16.89.42
       Postfix                               named

    nameserver 172.16.89.42               nameserver 172.16.89.42

Postfix complains:

    Nov 26 09:42:12 bigbox postfix/smtpd[29131]: NOQUEUE: reject: 
	RCPT from unknown[216.240.39.3]: 450 4.1.8 <sja@postmodern.com>: 
	Sender address rejected: Domain not found; from=<sja@postmodern.com> 
	to=<newhouse@rockhead.com> proto=ESMTP helo=<penguin.postmodern.com>

The domain name "postmodern.com" used to work.  At some recent point in
time the DNS records for this address changed and it stopped resolving. 
So I started running named (locally as above) and added an SOA record for
postmodern (included below).  Nslookup resolves postmodern from the local
named:

   #nslookup postmodern.com
   Server:         172.16.89.42
   Address:        172.16.89.45#53
   
   Name:   postmodern.com
   Address: 216.240.39.2

There are no differences between /etc/resolv.conf and 
/var/spool/postfix/etc/resolv.conf.

Contents of /etc/resolv.conf (both systems):

   # Created by dhclient at: Thu Nov 23 18:15:03 UTC 2006
   search rockhead.com hsd1.ca.comcast.net. comcast.net
   nameserver 172.16.89.42
   nameserver 209.128.95.1
   nameserver 68.87.76.178
   nameserver 68.87.78.130
   
I run tcpdump on every interface on the postfix machine (172.16.89.45)

  tcpdump -i <interface>  -s 2000 -vvv port 53 | \
  grep -E '(postmodern|216\.240\.39\.2|2\.39\.240\.216)'

In 12 hours I have never seen a communication with any nameserver regarding postmodern.
If I do an "nslookup postmodern.com" I do see some communications with 172.16.89.42 regarding
postmodern.com. 

I'm confused about why postfix doesn't resolve this correctly?  The postfix lists claim that
the resolver libraries are the problem?  

I have noticed that many legitimate addresses are not being resolved (or even attempted)
via postfix that resolve using nslookup.

I am completely baffled by this behavior. I've included the postconf -n output, named.conf
and the postmodern named file.  If I had a clue I would have included other possibly
relevant information.

Where did I go wrong?

TIA,
Paul

================= postconf -n output follows =================
alias_maps = hash:/etc/mail/aliases
canonical_maps = hash:/usr/pkg/etc/postfix/canonical
command_directory = /usr/pkg/sbin
config_directory = /usr/pkg/etc/postfix
daemon_directory = /usr/pkg/libexec/postfix
debug_peer_level = 2
header_checks = regexp:/usr/pkg/etc/postfix/header_checks
html_directory = no
inet_interfaces = $myhostname, 209.128.91.46, 209.128.91.45, 209.128.91.44, 209.128.91.43, 209.128.91.42, localhost.$mydomain, 172.16.89.45
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mail_owner = postfix
mail_spool_directory = /var/mail
mailq_path = /usr/pkg/bin/mailq
manpage_directory = /usr/pkg/man
maps_rbl_domains = spam.dnsbl.sorbs.net,                 sbl-xbl.spamhaus.org,                 dul.dnsbl.sorbs.net,                 spam.tqmcube.com,                 relays.ordb.org,                 list.dsbl.org
masquerade_domains = wan.vpn rockhead.com,         pimin.rockhead.com rockhead.com,         pimin.wan.vpn rockhead.com,         bigbox.rockhead.com rockhead.com,         bigbox.wan.vpn rockhead.com,         little.box.rockhead.com rockhead.com,         little.box.wan.vpn rockhead.com
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = rockhead.com
myhostname = bigbox
mynetworks = 209.128.91.40/29, 127.0.0.0/8, 172.16.89.0/24
mynetworks_style = subnet
myorigin = rockhead.com
newaliases_path = /usr/pkg/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/pkg/share/doc/postfix
sample_directory = /usr/pkg/share/examples/postfix
sendmail_path = /usr/pkg/sbin/sendmail
setgid_group = maildrop
smtpd_helo_restrictions = reject_maps_rbl
smtpd_recipient_restrictions = reject_unverified_recipient,                reject_non_fqdn_sender,                permit_mynetworks,                reject_unauth_destination,                reject_unknown_recipient_domain,                reject_non_fqdn_recipient,                reject_invalid_helo_hostname,                reject_non_fqdn_helo_hostname,                reject_unknown_sender_domain,                reject_unauth_pipelining,                permit_sasl_authenticated
smtpd_sender_restrictions = reject_maps_rbl
unknown_local_recipient_reject_code = 550

=============== /etc/named.conf ======================
# $NetBSD: named.conf,v 1.2.2.1 2005/09/04 19:57:50 tron Exp $

# boot file for secondary name server
# Note that there should be one primary entry for each SOA record.

options {
	directory "/etc/namedb";
	allow-query { 172.16.0.0/16 ; 172.17.0.0/16 ; 172.31.0.0/16 ; };
	listen-on port 53 { 172.16.89.42 ; };
};
#
zone "postmodern.com" {
   type master;
   notify no;
   file "postmodern.com";
};
#
zone "39.240.216.IN-ADDR.ARPA" {
   type master;
   notify no;
   file "2.39.240.216";
};
#
zone "wan.vpn" {
   type master;
   notify no;
   file "wan.vpn";
};
#
zone "16.172.IN-ADDR.ARPA" {
   type master;
   notify no;
   file "16.172";
};
#
zone "17.172.IN-ADDR.ARPA" {
   type master;
   notify no;
   file "17.172";
};
#
zone "31.172.IN-ADDR.ARPA" {
   type master;
   notify no;
   file "31.172";
};
#
zone "localhost" {
	type master;
	file "localhost";
};
#
zone "127.IN-ADDR.ARPA" {
	type master;
	file "127";
};
#
zone "." {
	type hint;
	file "root.cache";
};
#
#zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int" {
#	type master;
#	file "loopback.v6";
#};
#
#zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
#	type master;
#	file "loopback.v6";
#};

# example secondary server config:
#
# zone "Berkeley.EDU" {
# 	type slave;
# 	file "berkeley.edu.cache";
# 	masters {
# 		128.32.130.11;
# 		128.32.133.1;
# 	};
# };

# zone "32.128.IN-ADDR.ARPA" {
# 	type slave;
# 	file "128.32.cache";
# 	masters {
# 		128.32.130.11;
# 		128.32.133.1;
# 	};
# };
#
# example secondary server config:
#
# zone "rockhead.com" {
# 	type slave;
# 	file "rockhead.com.cache";
# 	masters {
# 		209.128.95.1;
# 		209.128.95.2;
# 	};
# };

# zone "32.128.IN-ADDR.ARPA" {
# 	type slave;
# 	file "209.128.91.40.cache";
# 	masters {
# 		209.128.95.1;
# 		209.128.95.2;
# 	};
# };

# example primary server config:
# 
# zone "Berkeley.EDU" {
# 	type master;
# 	file "berkeley.edu";
# };

# zone "32.128.IN-ADDR.ARPA" {
# 	type master;
# 	file "128.32";
# };

===================== /etc/namedb/postmodern.com ===============
$TTL    3600
@              IN SOA  pimin.wan.vpn. root.rockhead.com. (
                        28      ; serial 11/23/2006
                        8H      ; refresh
                        2H      ; retry
                        1W      ; expire
                        1D )    ; minimum seconds
                IN NS   172.16.89.42.
                IN MX   10       penguin.postmodern.com.   ; primary mail server
                IN MX   20       mxrelay.idiom.com.        ; secondary mail server
                        IN A     216.240.39.2
www                     IN CNAME postmodern.com.
penguin                 IN CNAME postmodern.com.
server.postmodern.com.  IN A     216.240.39.3