BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
Matthew Pounsett
matt at conundrum.com
Sun Jan 25 15:37:04 UTC 2009
On 25-Jan-2009, at 03:44 , Al Stu wrote:
> "When a domain name associated with an MX RR is looked up and the
> associated data field obtained, the data field of that response MUST
> contain a domain name. That domain name, when queried, MUST
> return at least one address record (e.g., A or AAAA RR) that gives
> the IP address of the SMTP server to which the message should be
> directed."
>
> Correct. And when a that domain name is a CNAME pointing to an A RR
> the query returns not only the alias but also the real name and the
> IP address from the A RR. Thus meeting the requirements to "return
> at least one address record (e.t., A or AAAA RR)". But yet ISC
> seems to find it necessary to throw a message that it is "illegal",
> when it clearly is not.
You've added an additional step in your second paragraph that is
prohibited by the section you quoted in the first. The section from
the RFC describes a situation where A is queried for and an MX record
pointing to B is returned. When B is queried for, an address record
MUST be the answer. The situation you have described is that A is
queried for resulting in an MX record pointing to B. When B is
queried for, a CNAME pointing to C is returned, and that when C is
queried an address record is returned. Do you see the difference?
The RFCs are quite clear that CNAMEs are not permitted in the RDATA
for an MX.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090125/d9b72a0d/attachment.bin>
More information about the bind-users
mailing list