DNS and MX

Kevin Darcy kcd at daimlerchrysler.com
Thu May 11 22:55:02 UTC 2006 

ctclibby wrote:

>Hi All
>
>I have asked a question in a moderated list (
>MIMEDefang at lists.roaringpenguin.com ) and have quite the discussion
>going on.  So I now turn to you for wisdom and answers.  I have added
>more information below.  Here is my question as posted:
>---
>Hi all
>
>Please tell me that I am NOT weird?
>
>Receintly I updated DNS for a few domains.  My registrar gives the
>option of assigning an IP addy for domain.tld without having an alias:
>mail.domain.tld  Ok, says I, lets give it a go.  Bam!  Slam, Spam
>started invading my privacy.  This leads me to believe either:
>   1. Mail ( spam ) in this case is being sent to domain names without
>doing MX lookups.
>   2. I screwed something up.
>
>So I went in and unassigned that IP from domain.tld and that Spam
>stopped.
>
>Will look into this further to make sure that I have the domain setup
>proper.
>
>todh
>---
>
>Enom is the Registrar and I have multiple domains behind a firewall (
>apache and sendmail ) of which the firewall forwards to an internal
>machine.  Everything works as it is supposed to: www gets web,
>smtp,pop3 and imap gets sendmail/dovecot.
>
>I have always assumed that a domain.tld is a container for hosts; i.e.
>mail.domain.tld, www.domain.tld, router.domain.tld.  Looks like some of
>the folks believe that having an A record should be done so that
>surfers that don't know don't have to put in the www part to get to
>some.domain.tld.  Ya, Ya, thank the marketing bigbrass for that one.
>
>So here is the big question:  Should domain.tld have an Address record
>associtated with it?  What is kosher?
>
There's nothing wrong with having an address record or more than one, at 
the zone apex. It's really a matter of personal preference. The presence 
of zone-apex A records will, however, attract some email traffic, 
especially if you have no MX records at the apex, or, to a lesser 
degree, as you have found, even if you do, from horribly broken mail 
software or from spammers who surmise that the mail servers responding 
to the apex records represent additional opportunities, beyond those in 
the MX records, to get their crap past filters and other kinds of blocks.

One thing to be aware of, however, is that a CNAME record cannot be at 
the zone apex. If one's regular conventions call for the use of CNAMEs, 
therefore, zone apexes will need to be exceptions to those conventions, 
and that can complicate things. I can't even count the number of times 
I've had to explain to our internal customers (e.g. marketing folks) 
about CNAMEs being forbidden at the zone apex, and no, this is a basic 
rule of *DNS*, not something I just cooked up on my own to make their 
lives miserable.

                                                                         
                                    - Kevin

More information about the bind-users mailing list