BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"

Barry Margolin barmar at alum.mit.edu
Tue Jan 27 06:16:26 UTC 2009 

In article <glm61r$5l5$1 at sf1.isc.org>, "Al Stu" <Al_Stu at Verizon.net> 
wrote:

> Yes,  the response to an MX query, that is the subject here.  And a CNAME is 
> in fact permitted and specified by the RFC's to be accepted as the response 
> to an MX lookup.

No, we're talking about the response to the A query for the name that 
the MX points to.  The section below is talking about the response to 
the original MX query.  E.g. when sending mail to foo at mail.company.com, 
mail.company.com is allowed to be a CNAME.  So you can have:

mail.company.com. CNAME company.com.
company.com. MX 10 mx.company.com.

but you still aren't supposed to have:

mx.company.com. CNAME mxserver.company.com.

> 
> "If the response does not contain an error response, and does not contain 
> aliases"
> See there, alias is permitted.  You just keep proving the my case.
> 
> I am not taking it out of context.  It is very explicitly stated.  And the 
> context is that of locating the target/remote host by first submitting an MX 
> query, then submitting an A query of the MX query result.  The MX query 
> result is permitted to be and alias, which in turn when submitted for an A 
> query results in both the A and CNAME being returned.  Thus meeting the SMTP 
> RFC requirements.
> 
> 
> ----- Original Message ----- 
> From: "Mark Andrews" <Mark_Andrews at isc.org>
> To: "Al Stu" <Al_Stu at Verizon.net>
> Cc: <bind-users at lists.isc.org>
> Sent: Monday, January 26, 2009 8:41 PM
> Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT 
> "Illegal"
> 
> 
> >
> > In message <3C802402A28C4B2390B088242A91FB9C at AHSNBW1>, "Al Stu" writes:
> >>
> >> RFC 974:
> >> "There is one other special case.  If the response contains an answer 
> >> which
> >> is a CNAME RR, it indicates that REMOTE is actually an alias for some 
> >> other
> >> domain name. The query should be repeated with the canonical domain 
> >> name."
> >
> > And that is talking about the response to a MX query.  The section
> > from which you quote starts with:
> >
> > Issuing a Query
> >
> >   The first step for the mailer at LOCAL is to issue a query for MX RRs
> >   for REMOTE.  It is strongly urged that this step be taken every time
> >   a mailer attempts to send the message.  The hope is that changes in
> >   the domain database will rapidly be used by mailers, and thus domain
> >   administrators will be able to re-route in-transit messages for
> >   defective hosts by simply changing their domain databases.
> >
> > and the paragraph after that which you quote is:
> >
> >   If the response does not contain an error response, and does not
> >   contain aliases, its answer section should be a (possibly zero
> >   length) list of MX RRs for domain name REMOTE (or REMOTE's true
> >   domain name if REMOTE was a alias).  The next section describes how
> >   this list is interpreted.
> >
> > So I would suggest that you stop taking text out of context.
> >
> > CNAME -> MX is legal
> > MX -> CNAME is illegal
> >
> > Mark
> >
> >> ----- Original Message ----- 
> >> From: "Scott Haneda" <talklists at newgeo.com>
> >> To: "Al Stu" <Al_Stu at Verizon.net>
> >> Cc: <bind-users at lists.isc.org>
> >> Sent: Monday, January 26, 2009 8:09 PM
> >> Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT
> >> "Illegal"
> >>
> >>
> >> > On Jan 26, 2009, at 7:54 PM, Al Stu wrote:
> >> >
> >> >> If you refuse a CNAME then it is your SMTP server that is broken. 
> >> >> The
> >> >> SMTP RFC's clearly state that SMTP servers are to accept and  lookup a
> >> >> CNAME.
> >> >
> >> >
> >> > [RFC974] explicitly states that MX records shall not point to an alias
> >> > defined by a CNAME.  That is what I was talking about, are you saying
> >> > this is not correct?  As this is what I was under the impression for
> >> > quite some time.
> >> > --
> >> > Scott
> >> >
> >>
> >> _______________________________________________
> >> bind-users mailing list
> >> bind-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> > -- 
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org 
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list