BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT "Illegal"

Scott Haneda talklists at newgeo.com
Tue Jan 27 06:30:10 UTC 2009 

On Jan 26, 2009, at 10:11 PM, Barry Margolin wrote:

> In article <gllr91$2vqt$1 at sf1.isc.org>,
> Scott Haneda <talklists at newgeo.com> wrote:
>
>> I have never got why this is such a hard thing for email admins to  
>> get
>> right, but it certainly causes me headaches.  I personally wish
>> CNAME's would just go away, keep them around, but just stop talking
>> about them, then new to DNS users would not use them.
>
> Suppose you're providing an MX service, but you actually out-source  
> the
> operation to a third party.  You want to give your customers an MX
> record that points to a name in your domain, so they don't need to  
> know
> about the third party (and so you have the flexibility to change your
> out-sourcing without requiring all customers to update their MX  
> record).
>
> But the third party also needs the flexibility to change the IP of the
> server, load balancing, disaster recovery, changing ISPs, etc.  So  
> they
> don't want you to hard-code their IPs into your domain.
>
> CNAMEs are the simplest solution to implementing all this.
>
> customer.com. IN MX 10 mx.yourdomain.com.
> mx.yourdomain.com. IN CNAME mx.outsourcer.com.
> mx.outsourcer.com. IN A ...
>
> If the customer changes MX services, they change their MX record.  If
> you change outsourcing companies, you change your CNAME record.  And  
> if
> the outsourcing company re-IPs their server, they change the A record.
> Everyone can perform their job without having to make any of the
> downstream customers adjust their records.


Totally valid points, I agree with them all.  And it is these points  
that I was talking about when I suggested CNAME's go away.  Not really  
go away, but the above case is clearly one in which the admin knows  
that they are doing.

What my trouble is, is with the mail admins who clearly do not, and  
then argue about solving it.  I better example is servers that do not  
support greylisting, and bounce on 450 code.  This is pretty simple,  
and obvious as to why you need to try in a transient error like that.

Anyway, not saying I disagree with you, I do not, but I was just  
venting a little.
--
Scott

More information about the bind-users mailing list