Re: designing the DNS from the scratch
Hi Abdulhadi, At 00:31 09-07-2017, Abdulhadi Ettwejiri wrote: we are ISP company , we are providing Internet to our customer, Recently one of our VIP customer ask for DNS service, and need the response time 3msec, we don't have enough knowledge of DNS, I suggest discussing with your customer about the requirement as it is not clear what they are looking for. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: localhoast A record?
Hi Chris, At 11:18 21-03-2014, Chris Thompson wrote: We used to create lots of localhost.[subdomain].cam.ac.uk records, even to the extent of adding an record just for those institutions that had IPv6 enabled on their networks. But we have pretty much given up doing that for new subdomains. It still seems to me potentially useful to keep localhost.cam.ac.uk itself, to terminate the probable iteration described above before it goes any further. It can be used to exploit web application vulnerabilities. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: internal network PTR records, necessary?
Hi James, At 19:06 13-08-2013, James Chase wrote: I noticed if I do a reverse lookup on an internal IP it seems to reference an iana server. Do we have a misconfiguration to be going out there for an answer? Could it be that this iana server was not responding monday morning? See RFC 6303 and RFC 6305. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New warning message...
Hi Dan, At 03:07 24-07-2013, McDonald, Dan wrote: SPF RR types are already standards track - see RFC 6652. An informational rfc warning that the standard is not being adopted should be seen as a call to fix the admins, not discard the standard. The SPF specification is not on the Standards Track. RFC 6652 is about ARF. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PTR files
Hi Norman, If I recall correctly the initial message you posted mentioned a network connectivity problem. I suggest verifying whether one end can ping the other end. See whether you can ping by IP address and by host name. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: This list's prefix
Hi Elmar, At 12:27 05-06-2013, Elmar K. Bins wrote: And the 100-dollar-question is: How do you remove them on outgoing mails? ;-) The answer is to edit the subject line after hitting the reply button. :-) Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: spf ent txt records.
At 08:35 18-03-2013, Vernon Schryver wrote: Also, those who are not lazy, who think RFC 4408bis is wrong, and want to use type 99 without violating RFC 4408bis will go to the IEFF. I suggest reading the messages with a subject line of #9: RFC 4408 SPF RR type in the mail archive at http://www.ietf.org/mail-archive/web/spfbis/current/ Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we load balance traf[f]ic for CNAME records?
At 01:14 14-12-2012, Manish Rane wrote: I understand that Mail Delivery load balance can be achieved by usingMX priorities. My concern is not that, rather I am more worries about users who will be using A record to configure their mail clients like IMAP or POP. I am thinking on load balancing their since I want users to access the both the ISPs to connect. I can have A/CNAME? record See RFC 6186. Verify whether the mail clients support that specification. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: User wanting to use a .local domain to host DNS
At 07:15 14-11-2012, John Miller wrote: It doesn't look like .local is officially reserved (http://tools.ietf.org/html/rfc2606), but .localdomain definitely is. .localdomain is not reserved. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
At 21:10 16-10-2012, pangj wrote: IMO, a resolver will have the ability to get the public key of a ZSK for validating the signed RR. How will it get this public key? And, is the usage of a KSK similiar to the CA certificate? See http://www.nlnetlabs.nl/publications/dnssec_howto/ Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question related to domain names and less to bind straight.
At 22:04 04-09-2012, Eliezer Croitoru wrote: I am working on a blacklist and in order to filter the list and to do some Error checks I first want to identify the TLD part of the domain to make the search prefix at least of the domain and not the tld. the basic list exists at: http://data.iana.org/TLD/tlds-alpha-by-domain.txt But in a case of a regional tld such as il I want to filter the domain in the second 3rd level. is there an rfc that talks about regional tld? No. is there any known restriction for regional tlds sub-domains naming? It's ccTLD policy. See the public suffix list for an informal lower level break-down. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache does truely in local and doesn't work in remote
At 11:29 02-09-2012, Mohsen Pahlevanzadeh wrote: second nmap is from my machine , not server. Then i run telnet from my machine and then i get : root@debian:/home/mohsen# telnet 184.22.226.205:53 telnet: could not resolve 184.22.226.205:53/telnet: Name or service not known dig example.com @184.22.226.205 gives the following: ;; QUESTION SECTION: ;example.com. IN A ;; Query time: 13 msec ;; SERVER: 184.22.226.205#53(184.22.226.205) ;; MSG SIZE rcvd: 29 The nameserver is listening on 184.22.226.205 for DNS queries and it is responding. In a previous message, you did the following: root@debian:/home/mohsen# dig yahoo.com @184.22.226.206 Verify the IP address you should be using for DNS. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about connections to BIND and tcp 443
At 07:38 22-08-2012, Moore, Mark A. wrote: from connecting to 443 since these servers are only DNS. Is there any reason for clients to connect to tcp 443 for any type of DNS resolution? Just want to confirm before I dig deeper into this issue. No. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns_query_createvia: failed address not available
Hi Merton, At 16:02 19-08-2012, Merton Campbell Crockett wrote: Hopefully someone on this list can identify what is triggering the dns_query_createvia error. I haven't encountered this particular error in the last 25 years of mucking with named. The error results in named to fail to load slave zones when it is first loaded if the zone files are not present. When the slave zone files are present, they are loaded but zone transfers are not performed to refresh the zone data. The following named.log excerpt was created by using a rndc refresh ad.gd-ais.com command to force a refresh of the zone data. 19-Aug-2012 18:28:48.575 general: info: received control channel command 'refresh ad.gd-ais.com' 19-Aug-2012 18:28:48.575 general: debug 1: queue_soa_query: zone AD.GD-AIS.COM/IN: enter 19-Aug-2012 18:28:48.575 general: debug 1: soa_query: zone AD.GD-AIS.COM/IN: enter 19-Aug-2012 18:28:48.575 general: debug 3: dns_request_createvia 19-Aug-2012 18:28:48.575 general: debug 3: req_destroy: request 0x3b7e18 19-Aug-2012 18:28:48.575 general: debug 3: dns_request_createvia: failed address not available Is an IP address specified for pulling the zone in the configuration file? Is the IP address bound to one of the available interfaces? Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Weird stuff with one host... :-S
At 06:31 16-07-2012, Michelle Konzack wrote: Can views be configured by Host/IP? A client matches a view if its source IP address matches the address_match_list of the view's match-clients clause and its destination IP address matches the address_match_list of the view's match-destinations clause. See example at http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#id2590162 Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operation Cancelled Error
Hi Ben, At 16:49 11-07-2012, Ben wrote: I am doing load testing on our local caching dns.But while doing it , i added google dns and some other dns ips as forwarder to test QPS. It seems to me that it is not a good idea to do load testing on some third-party server. I am confusing that those errors are due to bind misconfiguration or something else? An error condition can trigger such an error. It isn't related to the BIND configuration file. If someone share his experience with it, What are the maximum QPS handled by bind? that is good to understand more. There is a long thread at https://lists.isc.org/pipermail/bind-users/2011-June/084405.html The question might be what is the maximum QPS handled on hardware similar to the one you used for the test. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operation Cancelled Error
Hi Ben, At 05:37 11-07-2012, Ben wrote: Actually, I am doing load testing with my CACHING DNS SERVER, and for that i setup one client machine which sent queries to CACHING DNS SERVER, and while doing this , i got below given erros in log.So is point to any network problem or any fine tunning / configuration required to bind? I am using google public dns ips as forwarder in named.conf Are you doing load testing on Google's DNS server? Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: VMware Bind
Hi John, At 09:58 05-06-2012, Manson, John wrote: Will bind run on VMware? Yes, if the guest operating system supports it. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on wildcard falls into glue records
At 07:08 15-05-2012, Alexander Gurvitz wrote: From wikipedia: To quote RFC 1912, A common mistake is thinking that a wildcard Using Wikipedia to quote RFC 1912 is odd ... Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query issue
At 08:45 29-03-2012, Anand Buddhdev wrote: I also note that kingstonmass.org has delegation to 2 name servers in the ORG zone, but 3 name servers at its apex. The additional name server, mns01.domaincontrol.com, gives a REFUSED response to a query for the domain. From mns01.domaincontrol.com: ;; ANSWER SECTION: kingstonmass.org. 3600IN NS mns02.domaincontrol.com. kingstonmass.org. 3600IN NS mns01.domaincontrol.com. ns1.gis.net and ns2.gis.net return a different answer. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DLZ provider other than a database?
At 17:53 20-12-2011, Doug Barton wrote: I've been given an interesting challenge that I doubt I'm the first one to face, so I thought I'd ask. :) I have an internal project for which I have a large'ish number of hostnames that I want to return a fairly standard set of RRs for, but (for a variety of reasons) I'd rather not create any sort of static data set for (e.g., zone file, actual db entries, etc.). https://github.com/jpmens/dlz_lua Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
At 03:51 14-12-2011, babu dheen wrote: In this case, do you think that internal users trying to send emails directly to internet? No. Email delivery is taken care by Email Gateway device, obviously, DKIM verification (if enabled) can only be done by Email gateway of my company... How does internal client make DKIM query which uses the TXT record in DNS ? The internal client (MUA) does not make such queries. Can you tell me list of URL which size exceed 514 bytes to verify whether my internal server truncate/return failure code when query such URL using UDP query? See http://netalyzr.icsi.berkeley.edu/ Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
At 04:46 13-12-2011, babu dheen wrote: In what situation, DNS packet size can exceed more than 512 bytes. In fact, my gateway DNS TXT records used for DKIM, for example. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NXDOMAIN redirection in BIND 9.9
At 14:52 29-09-2011, Michael Graff wrote: We came to the conclusion that no matter how much we wanted it to not be true, people find a way to do NXDOMAIN if they want to. The issue is not ours to push, it's between the ISP and the customer ultimately, and people will do it -- and more intrusively -- than BIND 9.9 will. http://queue.acm.org/detail.cfm?id=1647302 Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Weird IPv6 issue?
At 11:01 11-09-2011, Sten Carlsen wrote: If I do: dig d6.s-carlsen.dk (d6 is the host in question, it has one IPv6 address, nothing else), I get no answer, but it gives me the SOA. This is the case even if looking from the server itself. The following from my normal workstation. silver4:~ carlsen$ dig d6.s-carlsen.dk ; DiG 9.6.0-APPLE-P2 d6.s-carlsen.dk ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 45921 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;d6.s-carlsen.dk.INA ;; AUTHORITY SECTION: s-carlsen.dk.86400INSOAns2.s-carlsen.dk. hostmaster.s-carlsen.dk. 2010123191 10800 900 604800 86400 If the type argument is not supplied, dig will perform a lookup for an A record. dig d6.s-carlsen.dk Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
Hi Jaap, At 15:42 06-09-2011, Jaap Akkerhuis wrote: Make me wonder who reserved .local and specifically earmaked it to be used for mDNS. Iana http://www.iana.org/domains/root/db/ doesn't seem to know about this. Can you give some references? See draft-cheshire-dnsext-multicastdns-14 which you may have read. :-) There is also a proposal for a Special-Use Domain Name (draft-cheshire-dnsext-special-names-01). Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [UNsolved] was: what does dig +trace do?
Hi Tom, At 23:42 01-09-2011, Tom Schmitt wrote: But seriously: I don't see in the RFC that it is forbidden to have a hostname directly in the root-zone (without a internal dot). From RFC 921: The names are being changed from simple names, or globally unique strings, to structured names, where each component name is unique only with respect to the superior component name. Because of the growth of the Internet, structured names (or domain style names) have been introduced. Each element of the structured name will be a character string (with the same constraints that previously applied to the simple names). The elements (or components) of the structured names are separated with periods, and the elements are written from the most specific on the left to the most general on the right. The above discusses about hierarchical names. It is about how the system was designed to work and not about what is forbidden. The syntax of a legal Internet host name was specified in RFC-952, updated by RFC 1123. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about AUTHORITY SECTION
At 00:04 08-07-2011, Chris Buxton wrote: As for Kevin's assertion that the SOA record in the authority section is required for a negative response, this is also incorrect. RFC 2308 is a proposed standard, not a standard. Further, section 8 of this RFC does not say explicitly that an SOA must be RFC 2308 replaces Section 4.3.4 of RFC 1034. Irrespective of whether it is only at Proposed Standard, it is implemented by BIND 9. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in bind 9.7.3?
Hi Frank, At 11:33 26-05-2011, Frank Kloeker wrote: I using bind 9.7.3 as resolver in a slightly larger server farm with some mail servers that use domain key validation. If a try # host -t TXT _adsp._domainkey.federalreserve.gov This occurs with BIND 9.8.0: buffer.c:285: REQUIRE(b-used + 1 = b-length) failed, back trace #0 0x1c012a92 in assertion_failed()+0x42 #1 0x1c186957 in isc_assertion_failed()+0x27 #2 0x1c187e6d in isc__buffer_putuint8()+0x7d #3 0x1c09f3e5 in dns_ncache_addoptout()+0x2e5 #4 0x1c10fce9 in ncache_adderesult()+0x69 #5 0x1c1102e5 in validated()+0x3a5 #6 0x1c1a2af0 in isc__taskmgr_dispatch()+0x1c0 #7 0x1c1a5f23 in evloop()+0x73 #8 0x1c1a619a in isc__app_ctxrun()+0x13a #9 0x1c1a6242 in isc__app_run()+0x12 #10 0x1c013add in main()+0xbbd #11 0x1c003917 in ___start()+0x77 #12 0x1c003897 in __start()+0x17 #13 0xcfbde8bc in __fini()+0xb3a2874c exiting (due to assertion failure) Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: continous DNS query to ROOT DNS server
At 11:33 25-04-2011, babu dheen wrote: Dears, I have DHCP server running in Windows Operating System(Windows 2003), i have configured forwarder towards gateway DNS server(running in redhat). When i check the firewall hits for DHCP server i can see, my DHCP server is sending too many DNS query towards ROOT DNS servers(192.175.48.1, 192.175.48.6, 192.175.48.42 and etc) See http://tools.ietf.org/html/draft-ietf-dnsop-as112-under-attack-help-help Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
At 05:25 31-01-10, Wael Shaheen wrote: As a solution the routing team was thinking to block port 25 for outgoing as some ISPs do. However, I do not see this to be a valid solution for many reasons such as clients that have email servers outside, or if decided to be redirected to spam filters then that will just cost the company too much. Mail submission is done over port 587 and not port 25. Luckily we have two set of DNS server farms; one that is serving static IP users and one that is dedicated only for dynamic IP users. The idea I have proposed is to deny these dynamic users from performing MX queries. So instead of blocking port 25 we can redirect the DNS port to the DNS farm that is dedicated for dynamic users, that will guarantee that no standard DNS port forwarded queries are going to external servers. Then we will block the MX and root queries for those dynamic clients. That will prevent them from using a locally installed DNS service on their machines or query MX records for targets they want to send spam to. That can be bypassed as you explained below. Of course there will still be some challenges like if some spammers know the A record of the mail server they want to connect to or if they used the IP address of the targeted mail server also if they used open dns that works on non-standard ports, but then again I believe these users will stand out and will be identified more easily. The idea is another variation of the walled garden. You could look into doing traffic flow analysis and using feedback reports to identify the source of the abuse. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME for MX Record?
At 09:35 19-08-2009, Bradley Caricofe wrote: I have the following issue. A customer hosts a domain with me, facplus.com. Her primary email account is on that domain, we'll call it h...@facplus.com. She has also registered another name through Dotster, meetingtoolsandjewels.com. Dotster provides her with URL redirection and email forwarding for that domain. She has setup an email address, we'll call it h...@meetingtoolsandjewels.com, which should forward to h...@facplus.com. We've been having a problem where not all senders are being received when mail is sent to the h...@meetingtoolsandjewels.com account. I've sent her test emails from gmail, yahoo and my own server (sendmail) and all were received. When I send emails from systems using exchange, I eventually get a bounce that the message has been delayed...it's never received. ;; QUESTION SECTION: ;meetingtoolsandjewels.com. IN MX ;; ANSWER SECTION: meetingtoolsandjewels.com. 1800 IN MX 0 m1.dnsix.com. meetingtoolsandjewels.com. 3600 IN CNAME meetingsmaven.typepad.com. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig printout doesn't appear to match reality
At 08:53 16-05-2009, Frank Bulk wrote: It appears that dig is printing results that it attributes to the wrong server. While troubleshooting an inconsistent NS issue (upstream from us), a trace [snip] sioux-center.k12.ia.us. 28800 IN NS ns1.netins.net. sioux-center.k12.ia.us. 28800 IN NS dns.mtcnet.net. This is unrelated to your original question. dns.mtcnet.net does not resolve. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal
At 22:11 24-01-2009, Al Stu wrote: Some people seem to think RFC 974 creates a standard which prohibits the use of CNAME/alias in MX records. But very much to the contrary RFC 974 demonstrates that CNAME/alias is permitted in MX records. RFC 974 is obsoleted by RFC 2821; the latter is obsoleted by RFC 5321. Quoting Section 5 of that RFC: When a domain name associated with an MX RR is looked up and the associated data field obtained, the data field of that response MUST contain a domain name. That domain name, when queried, MUST return at least one address record (e.g., A or RR) that gives the IP address of the SMTP server to which the message should be directed. Any other response, specifically including a value that will return a CNAME record when queried, lies outside the scope of this Standard. The prohibition on labels in the data that resolve to CNAMEs is discussed in more detail in RFC 2181, Section 10.3. ISC's message that a CNAME/alias in an MX record is illegal is incorrect and just an attempt by ISC to get people to go along with what is only a perceived rather than actual standard/requirement, and should be removed so as not to further the fallacy of this perceived perception of a standard/requirement, as it is neither a standard nor a requirement, and certainly not illegal. Pointing to a CNAME on the right-hand side of an MX record is incorrect and may affect mail delivery. This is not about perceived perception of a requirement (see the MUST return at least one address record in the quoted text). Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal
At 00:44 25-01-2009, Al Stu wrote: When a domain name associated with an MX RR is looked up and the associated data field obtained, the data field of that response MUST contain a domain name.That domain name, when queried, MUST return at least one address record (e.g., A or RR) that gives the IP address of the SMTP server to which the message should be directed. Correct. And when a that domain name is a CNAME pointing to an A RR the query returns not only the alias but also the real name and the IP address from the A RR. Thus meeting the requirements to return at least one address record (e.t., A or RR). But yet ISC seems to find it necessary to throw a message that it is illegal, when it clearly is not. That's a liberal interpretation of the specifications and it's the opposite of the intent of the quoted paragraph. Implementors are expected to query for an address record only. Any other behavior such as the one described in your second paragraph is undefined. Further reading of that section elaborates on what to do if a CNAME is returned and there is a reference to RFC 2181 for a discussion of the prohibition of CNAMEs on the right-end side. RFC 974 specifies the algorithm to build the list of RRs and discusses about possible issues. It's the same algorithm in RFC 2821 and RFC 5321. The confusion about CNAMEs in MX records stems from the interpretation of the text about how CNAMEs on the left-hand side are handled and that was clarified in the latest revision of the specifications. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users