Wildcards in MX Record Domain Names

Jim Reid jim at rfc1035.com
Thu Dec 16 10:08:50 UTC 1999 

>>>>> "Kevin" == Kevin Darcy <kcd at daimlerchrysler.com> writes:

    >> > *.org IN MX 10 firewallrelay.mayo.org 
    >> > *.gov IN MX 10 firewallrelay.mayo.org
    >> > *.  IN MX 10 firewallrelay.mayo.org
    >> Yes.  But this is probably not the right way of doing this.
    >> You should really put a relay host into your sendmail.cf file,
    >> to send all non-local e-mail to your firewall.

    Kevin> Why? Is it easier to custom-configure dozens or hundreds of
    Kevin> sendmail.cf's than it is one master file on an internal
    Kevin> root server? And what if you want redundancy or
    Kevin> load-balancing for outbound email? Sure, you could probably
    Kevin> hack that logic into the sendmail.cf too, but why bother
    Kevin> when you can just add a few more MX records to the internal
    Kevin> root?

Because fixing the mail systems is the Right Thing to do. After all
it's them that are broken, not the DNS. It's also not a good idea to
pollute your internal root zone with this sort of cruft, especially
wildcard MX records. It sets a precedent. When the next item of
defective or misconfigured software comes along, you don't have a
strong justification to refuse to kludge the DNS for that as well. If
you're not careful, your root zone will end up in a mess of kludges
and hacks that are hard to maintain or understand. These might also be
interdependent in subtle and weird ways. The wildcarding could even
break. Suppose you then have to add an A record for an external web
site - say ibm.com - to your root zone because of some other broken
application or stupid misconfiguration. Now the idiot mailers can't
send mail to ibm.com because the A record for ibm.com will take
precedence over the *.com MX wilcard. The more cruft that goes into
the root zone, the worse that problem becomes.

Sure, adding the wildcard MX records to the root zone is a quick and
dirty hack. It's definitely much quicker to do than fix every internal
mail system. However the long-term costs of maintaining and supporting
this set-up are probably going to be far higher than the costs of
doing things right from the outset. Just think of the extra (and
unnecessary) complexity in the root zone and all the nasty problems
that could flow from that name space pollution. And once you've
started down that slippery slope, it's very hard to go back. Removing
legacy cruft from the root zone can be almost impossible. Once it's
there, people will use and abuse it for all sorts of things.

    Kevin> Plus, you're assuming they're running sendmail or something
    Kevin> equally manipulable...

True. But even the most brain-dead mail software will usually have an
option somewhere to forward mail via SMTP to a smart relay. "I'm too
stupid or inflexible to route mail properly, but I know how to punt
stuff to another mail server that can do this for me." In fact some
of these idiot mail systems might not even need to be configured to
know about MX records or use the DNS at all.

More information about the bind-users mailing list