BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
Danny Thomas
d.thomas at its.uq.edu.au
Sun Jan 25 07:14:07 UTC 2009
Al Stu wrote:
>BIND 9.6 ‘named’ throws the following message during startup claiming
>that it is illegal to use a CNAME/alias in the MX record.
>I beg to differ. There is no such standard nor requirement prohibiting
>the use of CNAME/alias in an MX record.
>
>Some people seem to think RFC 974 creates a standard which prohibits
>the use of CNAME/alias in MX records. But very much to the contrary
>RFC 974 demonstrates that CNAME/alias is permitted in MX records.
>
>ISC’s message that a CNAME/alias in an MX record is illegal is incorrect
>and just an attempt by ISC to get people to go along with what is only a
>perceived rather than actual standard/requirement, and should be removed
>so as not to further the fallacy of this perceived perception of a
>standard/requirement, as it is neither a standard nor a requirement, and
>certainly not illegal.
checking RFCs published within the last 12 years might have been useful
RFC2181: Clarifications to the DNS Specification
this was published as Standards Track
it's true that many RFCs were not advanced but the DNS Extensions
Working Group is making an effort
http://www.ietf.org/html.charters/dnsext-charter.html
Jun 2007 Start of process of reviewing the following RFCs and to
move them to Draft Standard status
that not only includes rfc2181, but ones defining EDNS0, notify,
negative caching, dynamic updates, SRV records etc
10.3. MX and NS records
The domain name used as the value of a NS resource record, or part of
the value of a MX resource record must not be an alias. Not only is
the specification clear on this point, but using an alias in either
of these positions neither works as well as might be hoped, nor well
fulfills the ambition that may have led to this approach. This
domain name must have as its value one or more address records.
Currently those will be A records, however in the future other record
types giving addressing information may be acceptable. It can also
have other RRs, but never a CNAME RR.
Searching for either NS or MX records causes "additional section
processing" in which address records associated with the value of the
record sought are appended to the answer. This helps avoid needless
extra queries that are easily anticipated when the first was made.
Additional section processing does not include CNAME records, let
alone the address records that may be associated with the canonical
name derived from the alias. Thus, if an alias is used as the value
of an NS or MX record, no address will be returned with the NS or MX
value. This can cause extra queries, and extra network burden, on
every query. It is trivial for the DNS administrator to avoid this
by resolving the alias and placing the canonical name directly in the
affected record just once when it is updated or installed. In some
particular hard cases the lack of the additional section address
records in the results of a NS lookup can cause the request to fail.
Danny
More information about the bind-users
mailing list