In message <20101112143542.ga23...@fantomas.sk>, Matus UHLAR - fantomas writes:
> > In message <20101112135657.gb22...@fantomas.sk>, Matus UHLAR - fantomas wri
> tes:
> > > On 29.10.10 12:49, Mark Andrews wrote:
> > > > And they can do a SMTP level rejection rather than waiting for the
> > > > sending server to abandon sending the email due to multiple timeouts.
> > > > Just return 550 for all mail directed to users at those hosts. It
> > > > would be nice if we could standardise a MX target of "." as saying
> > > > that this domain doesn't accept email e.g. "MX 0 ." the same way
> > > > as "SRV 0 0 0 ." means that there is no service for the named
> > > > protocol. That way the sending MTA or the MSA can reject the email.
> > > >
> > > > Every time it get suggested people shoot it down worrying about
> > > > private nets that have addresses at "." or get worried about thousands
> > > > of machines making A/AAAA queries for "." where the MTA doesn't
> > > > check that the MX target is a valid host name.
> > >
> > > the same would apply for any other hostname not recognized by mailservers
> .
> > > Even localhost, if some servers do not contain zone for it.
> > >
> > > Technically the best solution would be dropping fallback for A address,
> > > however it's apparently unapplicable (or would take years).
> > >
> > > BTW.
> > >
> > > I was told that "." is not a valid hostname and that it causes DNSSEC
> > > problems, at least with debian's named (9.6 ESV now, 9.5.1 before)
> > > ... can you confirm this?
>
> On 13.11.10 01:24, Mark Andrews wrote:
> > "." isn't a valid hostname but named will accept it as a place holder.
> >
> > % named-checkzone example test
> > test:1: no TTL specified; using SOA MINTTL instead
> > zone example/IN: example/MX '.' (out of zone) has no addresses records (A o
> r AAAA)
> > zone example/IN: loaded serial 0
> > OK
> > % cat test
> > @ IN SOA . . 0 0 0 0 0
> > @ IN NS .
> > @ IN MX 10 .
> > %
> >
> > It's easy enough to remove the address checks for ".".
>
> what about check-mx setting, can it be also affected by this setting?
As I said it is a easy fix. This just copies what the srv check does.
Index: lib/dns/zone.c
===================================================================
RCS file: /proj/cvs/prod/bind9/lib/dns/zone.c,v
retrieving revision 1.574
diff -u -r1.574 zone.c
--- lib/dns/zone.c 6 Sep 2010 04:41:13 -0000 1.574
+++ lib/dns/zone.c 12 Nov 2010 22:08:51 -0000
@@ -1751,6 +1752,12 @@
int level;
/*
+ * "." means the services does not exist.
+ */
+ if (dns_name_equal(name, dns_rootname))
+ return (ISC_TRUE);
+
+ /*
* Outside of zone.
*/
if (!dns_name_issubdomain(name, &zone->origin)) {
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
