BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
Danny Thomas
d.thomas at its.uq.edu.au
Mon Jan 26 21:43:24 UTC 2009
Al Stu wrote:
> So within the zone SMTP requirements are in fact met when the
> MX RR is a CNAME.
you might argue the line of it being OK when additional processing
includes an A record.
"Be conservative in what you send" means that fewer problems are
likely from reasonable compliance with standards and not trying
every complicated or edge case that might be read into standards.
Section 5.1 of RFC5321:
Any other response, specifically including a value that will
return a CNAME record when queried, lies outside the scope of
this Standard. The prohibition on labels in the data that
resolve to CNAMEs is discussed in more detail in RFC 2181,
Section 10.3 [38].
So if you choose to have MXs with an <exchange> field being a
CNAME, don't complain if that results in some problems
for email delivery.
> So there is no need to prevent this nor to label it as "illegal".
"not compliant with RFC5321/5.1" would have been more explicit.
Maybe the ARM could list compliance messages along with references
to relevant standards and/or examples ?
Possible courses of action
* disable the check-mx-cname in your config
* discussions about correct behaviour and standards compliance
might be better taken up on the namedroppers list
* try to prevent RFC5321 from advancing to Standard status
while CNAMEs are specifically excluded by the document
*plonk*
More information about the bind-users
mailing list