Why forwarding is a Bad Thing

Kevin Darcy kcd at daimlerchrysler.com
Thu Mar 22 20:59:21 UTC 2001 

Jim Reid wrote:

> >>>>> "Brad" == Brad Knowles <brad.knowles at skynet.be> writes:
>
>     Brad>       One further question I forgot to ask -- would you
>     Brad> place the use of forwarding in the same category as using
>     Brad> wildcard records, especially wildcard MX records?
>
> Yes. Absolutely. The two things are equally evil and cause comparable
> amounts of trouble IMO. And as you know, there are some times when
> wilcarding is the only option, disgusting and as dangerous as it
> undoubtedly is. And those who play with such things should know what
> they are doing.

I think this is comparing apples and oranges. Forwarding relates to how
nameservers interact with each other; MX wildcards relate to how mail
servers interact with DNS and, ultimately, each other. As such,
forwarding is something configured in nameserver configurations
(named.conf in the case of BIND). Wildcard MX'es are configured in the
DNS database itself, i.e. in zonefiles. The two things have different
forms, and are used for different purposes. So how can they be compared,
except in the vague sense of "things that people can easily screw up",
which applies to *many* disparate aspects of DNS or SMTP-routing
configuration?

As Jim knows, I happen to advocate the use of wildcard MX records for
outbound mail routing in an internal-root context. The 3rd Edition of
_DNS_and_BIND_ appears to advocate the same thing (see the "DNS and
Internet Firewalls" section, pages 391 and 392). What I think Jim may
fail to appreciate, however, is that I advocate it for many of the
*same* reasons that I advocate *against* forwarding -- because it
centralizes mail routes (_roughly_ analogous to name-resolution
paths) in a single place, where there is a higher probability of
competent administration. Just as I shudder at the thought of junior
admins all over the enterprise configuring all sorts of screwy,
hard-coded, undocumented forwarding kruft, I shudder at the though of
junior admins all over the enterprise configuring all sorts of screwy,
hard-coded, undocumented mail routing kruft. I'd rather centralize the
top-level delegation information *and* the top-level mail routing
information (wildcard MXes) somewhere where I can keep a watchful eye on
it. I don't think that makes me a control freak; I think it's just a
responsible way to manage the two different kinds of infrastructure...


- Kevin

More information about the bind-users mailing list