In message <20101112143542.ga23...@fantomas.sk>, Matus UHLAR - fantomas writes: > > In message <20101112135657.gb22...@fantomas.sk>, Matus UHLAR - fantomas wri > tes: > > > On 29.10.10 12:49, Mark Andrews wrote: > > > > And they can do a SMTP level rejection rather than waiting for the > > > > sending server to abandon sending the email due to multiple timeouts. > > > > Just return 550 for all mail directed to users at those hosts. It > > > > would be nice if we could standardise a MX target of "." as saying > > > > that this domain doesn't accept email e.g. "MX 0 ." the same way > > > > as "SRV 0 0 0 ." means that there is no service for the named > > > > protocol. That way the sending MTA or the MSA can reject the email. > > > > > > > > Every time it get suggested people shoot it down worrying about > > > > private nets that have addresses at "." or get worried about thousands > > > > of machines making A/AAAA queries for "." where the MTA doesn't > > > > check that the MX target is a valid host name. > > > > > > the same would apply for any other hostname not recognized by mailservers > . > > > Even localhost, if some servers do not contain zone for it. > > > > > > Technically the best solution would be dropping fallback for A address, > > > however it's apparently unapplicable (or would take years). > > > > > > BTW. > > > > > > I was told that "." is not a valid hostname and that it causes DNSSEC > > > problems, at least with debian's named (9.6 ESV now, 9.5.1 before) > > > ... can you confirm this? > > On 13.11.10 01:24, Mark Andrews wrote: > > "." isn't a valid hostname but named will accept it as a place holder. > > > > % named-checkzone example test > > test:1: no TTL specified; using SOA MINTTL instead > > zone example/IN: example/MX '.' (out of zone) has no addresses records (A o > r AAAA) > > zone example/IN: loaded serial 0 > > OK > > % cat test > > @ IN SOA . . 0 0 0 0 0 > > @ IN NS . > > @ IN MX 10 . > > % > > > > It's easy enough to remove the address checks for ".". > > what about check-mx setting, can it be also affected by this setting? As I said it is a easy fix. This just copies what the srv check does.
Index: lib/dns/zone.c =================================================================== RCS file: /proj/cvs/prod/bind9/lib/dns/zone.c,v retrieving revision 1.574 diff -u -r1.574 zone.c --- lib/dns/zone.c 6 Sep 2010 04:41:13 -0000 1.574 +++ lib/dns/zone.c 12 Nov 2010 22:08:51 -0000 @@ -1751,6 +1752,12 @@ int level; /* + * "." means the services does not exist. + */ + if (dns_name_equal(name, dns_rootname)) + return (ISC_TRUE); + + /* * Outside of zone. */ if (!dns_name_issubdomain(name, &zone->origin)) { -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users