On Wed, Oct 22, 2025 at 12:41:46PM +0200, Fourhundred Thecat via Postfix-users
wrote:
> I have 2 nameservers in /etc/resolv.conf
>
> when the first one is unreachable policyd-spf does not fail over to the
> secondary, but instead times out after 45s:
The problem with SPF is that processing of many SPF records requires
many DNS queries to fetch nested "include" records and multiple indirect
references. If the non-availability of the failed nameserver is not
cached effectively, timeouts rapidly accumulate.
Perhaps policyd-spf is using a DNS query API that does not retain
resolver availability state across multiple queries.
> in contrast, when I was troubleshooting with dig, everything worked fine
> because dig does failover to the second ns.
A single "dig" run is not representative of the work of processing many
SPF records.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
