MX records for dynamic IP?

Kevin Darcy kcd at chrysler.com
Thu Apr 16 22:16:19 UTC 2009 

Michelle Konzack wrote:
> Hello *,
>
> I have a ZONE like
>
> ----[ code 'dig @ns1.xxxxxxxxxxx.com www.tamay-dogan.net ALL' ]--------
>
> ; <<>> DiG 9.5.1-P1 <<>> @ns1.xxxxxxxxxxx.com www.tamay-dogan.net ALL
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4451
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 4
>
> ;; QUESTION SECTION:
> ;www.tamay-dogan.net.           IN      A
>
> ;; ANSWER SECTION:
> www.tamay-dogan.net.    60      IN      CNAME   tamay-dogan.homelinux.net.
> tamay-dogan.homelinux.net. 60   IN      A       78.43.17.74
>
> ;; AUTHORITY SECTION:
> homelinux.net.          86400   IN      NS      ns1.dyndns.org.
> homelinux.net.          86400   IN      NS      ns2.dyndns.org.
> homelinux.net.          86400   IN      NS      ns3.dyndns.org.
> homelinux.net.          86400   IN      NS      ns4.dyndns.org.
> homelinux.net.          86400   IN      NS      ns5.dyndns.org.
>
> ;; ADDITIONAL SECTION:
> ns2.dyndns.org.         81538   IN      A       204.13.249.75
> ns3.dyndns.org.         81538   IN      A       208.78.69.75
> ns4.dyndns.org.         81538   IN      A       91.198.22.75
> ns5.dyndns.org.         81538   IN      A       203.62.195.75
>
> ;; Query time: 479 msec
> ;; SERVER: 62.xxx.xx.4#53(62.xxx.xx.4)
> ;; WHEN: Thu Apr 16 23:34:08 2009
> ;; MSG SIZE  rcvd: 253
>
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47371
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ALL.                           IN      A
>
> ;; AUTHORITY SECTION:
> .                       8042    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2009041600 1800 900 604800 86400
>
> ;; Query time: 326 msec
> ;; SERVER: 62.xxx.xx.4#53(62.xxx.xx.4)
> ;; WHEN: Thu Apr 16 23:34:08 2009
> ;; MSG SIZE  rcvd: 96
> ------------------------------------------------------------------------
>
> plus
>
> ----[ command 'dig @ns1.xxxxxxxxxxx.com www.tamay-dogan.net MX' ]------
>
> ; <<>> DiG 9.5.1-P1 <<>> @ns1.xxxxxxxxxxx.com tamay-dogan.net MX
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40181
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
>
> ;; QUESTION SECTION:
> ;tamay-dogan.net.               IN      MX
>
> ;; ANSWER SECTION:
> tamay-dogan.net.        60      IN      MX      10 webmail.xxxxxxxxxxx.com.
>
> ;; AUTHORITY SECTION:
> tamay-dogan.net.        60      IN      NS      ns1.xxxxxxxxxxx.com.
> tamay-dogan.net.        60      IN      NS      ns2.xxxxxxxxxxx.com.
>
> ;; ADDITIONAL SECTION:
> webmail.xxxxxxxxxxx.com. 17     IN      A       62.xxx.xx.10
> ns1.xxxxxxxxxxx.com.    17      IN      A       62.xxx.xx.4
> ns2.xxxxxxxxxxx.com.    17      IN      A       62.xxx.xx.8
>
> ;; Query time: 139 msec
> ;; SERVER: 62.xxx.xx.4#53(62.xxx.xx.4)
> ;; WHEN: Thu Apr 16 23:30:50 2009
> ;; MSG SIZE  rcvd: 156
> ------------------------------------------------------------------------
>
> and it is working...  (at least  for  the  Webstuff  since  my  ZONE  is
> currently pointing to my old hoster and I am waiting for the DNS  record
> change)
>
> What I like to know is, whether I can use MX records like
>
> 	60      IN      MX      10 mail.tamay-dogan.net.
> 	60      IN      MX      20 webmail.xxxxxxxxxxx.com.
>
> because <mail.tamay-dogan.net> is pointing to a CNAME record and NOT  an
> A record.  It it works I would not bother my "helper" called xxxxxxxxxxx
> with 3000 messages per day...
>
>   
No, you need to point MX records at "canonical" names, not aliases.

Even if it were legal to point MX records at aliases, if that alias 
points to some dynamic IP, it might be a really bad idea to point your 
MX there, since, due to caching, some other client who got your old 
dynamic IP address, could then accidentally receive your email for some 
period of time, unless you have some sort of crypto authentication.

Similar considerations apply to running a webserver on a dynamic IP, of 
course, but it is much more common to see SSL implemented in a webserver 
than for comparable protection (e.g. TLS) to be set up in a mail server 
or between mail servers.

If you can run your web services and mail services on *static* IPs that 
would be preferred. Trying to run this kind of stuff on dynamic IPs is 
always going to be an uphill battle. Maybe you relish the challenge; 
most people just want their stuff to work.

                                                                         
                                                   - Kevin

More information about the bind-users mailing list