BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"

Mark Andrews Mark_Andrews at isc.org
Tue Jan 27 06:03:11 UTC 2009 

In message <B3BA5E37553642E28149093CDEE78476 at AHSNBW1>, "Al Stu" writes:
> 
> Yes,  the response to an MX query, that is the subject here.  And a CNAME is 
> in fact permitted and specified by the RFC's to be accepted as the response 
> to an MX lookup.

	No one is saying a CNAME is not permitted in response to a MX
	query.
> 
> "If the response does not contain an error response, and does not contain 
> aliases"
> See there, alias is permitted.  You just keep proving the my case.

	We are saying that when you lookup the address of the mail
	exchanger that you shouldn't get a CNAME record.  MX ->
	CNAME is not permitted.  Others have quoted similar text
	from more recent RFC's.

	RFC 974

   Note that the algorithm to delete irrelevant RRs breaks if LOCAL has
   a alias and the alias is listed in the MX records for REMOTE.  (E.g.
   REMOTE has an MX of ALIAS, where ALIAS has a CNAME of LOCAL).  This
   can be avoided if aliases are never used in the data section of MX
   RRs.

> I am not taking it out of context.  It is very explicitly stated.  And the 
> context is that of locating the target/remote host by first submitting an MX 
> query, then submitting an A query of the MX query result.

	The text you quote is ONLY talking about the MX query.
	There is no "then submitting an A query of the MX query
	result" at this point in the RFC.

> The MX query 
> result is permitted to be and alias, which in turn when submitted for an A 
> query results in both the A and CNAME being returned.  Thus meeting the SMTP 
> RFC requirements.
	
> ----- Original Message ----- 
> From: "Mark Andrews" <Mark_Andrews at isc.org>
> To: "Al Stu" <Al_Stu at Verizon.net>
> Cc: <bind-users at lists.isc.org>
> Sent: Monday, January 26, 2009 8:41 PM
> Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT 
> "Illegal"
> 
> 
> >
> > In message <3C802402A28C4B2390B088242A91FB9C at AHSNBW1>, "Al Stu" writes:
> >>
> >> RFC 974:
> >> "There is one other special case.  If the response contains an answer 
> >> which
> >> is a CNAME RR, it indicates that REMOTE is actually an alias for some 
> >> other
> >> domain name. The query should be repeated with the canonical domain 
> >> name."
> >
> > And that is talking about the response to a MX query.  The section
> > from which you quote starts with:
> >
> > Issuing a Query
> >
> >   The first step for the mailer at LOCAL is to issue a query for MX RRs
> >   for REMOTE.  It is strongly urged that this step be taken every time
>   a mailer attempts to send the message.  The hope is that changes in
> >   the domain database will rapidly be used by mailers, and thus domain
> >   administrators will be able to re-route in-transit messages for
> >   defective hosts by simply changing their domain databases.
> >
> > and the paragraph after that which you quote is:
> >
> >   If the response does not contain an error response, and does not
> >   contain aliases, its answer section should be a (possibly zero
> >   length) list of MX RRs for domain name REMOTE (or REMOTE's true
> >   domain name if REMOTE was a alias).  The next section describes how
> >   this list is interpreted.
> >
> > So I would suggest that you stop taking text out of context.
> >
> > CNAME -> MX is legal
> > MX -> CNAME is illegal
> >
> > Mark
> >
> >> ----- Original Message ----- 
> >> From: "Scott Haneda" <talklists at newgeo.com>
> >> To: "Al Stu" <Al_Stu at Verizon.net>
> >> Cc: <bind-users at lists.isc.org>
> >> Sent: Monday, January 26, 2009 8:09 PM
> >> Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT
> >> "Illegal"
> >>
> >>
> >> > On Jan 26, 2009, at 7:54 PM, Al Stu wrote:
> >> >
> >> >> If you refuse a CNAME then it is your SMTP server that is broken. 
> >> >> The
> >> >> SMTP RFC's clearly state that SMTP servers are to accept and  lookup a
> >> >> CNAME.
> >> >
> >> >
> >> > [RFC974] explicitly states that MX records shall not point to an alias
> >> > defined by a CNAME.  That is what I was talking about, are you saying
> >> > this is not correct?  As this is what I was under the impression for
> >> > quite some time.
> >> > --
> >> > Scott
> >> >
> >>
> >> _______________________________________________
> >> bind-users mailing list
> >> bind-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> > -- 
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org 
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list