BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
Mark Andrews
Mark_Andrews at isc.org
Mon Jan 26 22:55:08 UTC 2009
In message <2D378CB064BA4D06880AED8ED81F3027 at AHSNBW1>, "Al Stu" writes:
> "Thus, if an alias is used as the value of an NS or MX record, no address
> will be returned with the NS or MX value."
>
> Above statement, belief, perception etc. has already been proven to be a
> fallacy (see the network trace attached to one of the previous messages).
> Both the CNAME and A record is in fact returned, unless the CNAME RR points
> to some other zone such as say smtp.googlemail.com.
Please show one vendor that follows a CNAME when processing the
*additional* section. AFAIK there is no vendor that does this.
Named doesn't.
CNAME is followed when processing the *answer* section.
> So within the zone SMTP requirements are in fact met when the MX RR is a
> CNAME. So there is no need to prevent this nor to label it as "illegal".
> The MX RR CNAME check should be improved to include this case and not throw
> a message if the MX RR CNAME is resolvable within the zone.
A lot of the reason why people think they can do this is
that it doesn't always blow up in their faces when they do
it. When there is only one MX record and that name points
to a CNAME the MX records are not looked up on the mail
exchanger so things don't blow up. Have multiple MX records
with different preferences and point those at CNAMEs then
thing start blowing up because the higher preference mail
exchanger does lookup the MX RRset and does processes it.
That is when things blow up. The rules are there to prevent
this situation.
The message is staying. If you don't want to see it turn
it off in named.conf but don't log a bug report complaining
that we didn't detect the misconfiguration.
Mark
> ----- Original Message -----
> From: "Matus UHLAR - fantomas" <uhlar at fantomas.sk>
> To: <bind-users at lists.isc.org>
> Sent: Monday, January 26, 2009 8:18 AM
> Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT
> "Illegal"
>
>
> > On 26.01.09 09:19, bsfinkel at anl.gov wrote:
> >> If I have in DNS
> >>
> >> cn IN CNAME realname
> >>
> >> and I query for cn, the DNS resolver will return "realname".
> >> BIND also returns the "A" record for realname. Is this a requirement?
> >> If not, then
> >>
> >> mx IN 10 MX cn
> >>
> >> will result in:
> >>
> >> 1) the MX query returning cn,
> >>
> >> 2) the cn query returning realname,
> >>
> >> 3) a third (and RFC-breaking) query to get the "A" for realname.
> >>
> >> There are only two queries if the resolver returns the "A" record along
> >> with the realname of the CNAME record.
> >
> > according to RFC1035 sect. 3.3.9
> >
> > "MX records cause type A additional section processing for the host
> > specified by EXCHANGE."
> >
> > according to RFC2181 sect 10.3.
> >
> > "The domain name used as the value of a NS resource record, or part of the
> > value of a MX resource record must not be an alias."
> >
> > "It can also have other RRs, but never a CNAME RR."
> >
> > "Additional section processing does not include CNAME records"...
> >
> > "Thus, if an alias is used as the value of an NS or MX record, no address
> > will be returned with the NS or MX value."
> >
> >
> > --
> > Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> > Warning: I wish NOT to receive e-mail advertising to this address.
> > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> > "The box said 'Requires Windows 95 or better', so I bought a Macintosh".
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list