BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"
Al Stu
Al_Stu at Verizon.net
Tue Jan 27 03:54:00 UTC 2009
If you refuse a CNAME then it is your SMTP server that is broken. The SMTP
RFC's clearly state that SMTP servers are to accept and lookup a CNAME.
----- Original Message -----
From: "Scott Haneda" <talklists at newgeo.com>
To: "Mark Andrews" <Mark_Andrews at isc.org>
Cc: "Al Stu" <Al_Stu at Verizon.net>; <bind-users at lists.isc.org>
Sent: Monday, January 26, 2009 6:24 PM
Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT
"Illegal"
> On Jan 26, 2009, at 6:17 PM, Mark Andrews wrote:
>
>> Which just means you have not ever experienced the problems
>> causes. MTA are not required to look up the addresses of
>> all the mail exchangers in the MX RRset to process the MX
>> RRset. MTA usually learn their name by gethostname() or
>> similar and that name is not a CNAME or there is a
>> misconfiguration.
>>
>> The fact that email still gets delivered in the presence
>> of misconfigurations is good luck rather than good management.
>
>
> 100% right. I refuse MX's that are cnamed, and I get emails from
> customers asking what is up. What is strange, and I can not figure it
> out, is that the admins of the DNS/email server always tell me this is
> the first time they have heard of it.
>
> Despite me pointing them to RFC on the matter, since it has worked in the
> past, they think it is my MTA that is wrong. I hate to budge on it, as
> this is a simple thing to understand and fix, but it seems many other
> email servers out there will run up and down a DNS server to find any
> address they can.
>
> In the end, they almost always refuse to change their DNS, and I and up
> making a static route for them. They change the record later, and then
> it breaks.
>
> I have never got why this is such a hard thing for email admins to get
> right, but it certainly causes me headaches. I personally wish CNAME's
> would just go away, keep them around, but just stop talking about them,
> then new to DNS users would not use them.
> --
> Scott
>
More information about the bind-users
mailing list