vjs at rhyolite.com
Thu Jun 6 18:26:22 UTC 2013
> From: Tony Finch <dot at dotat.at>
> Sendmail at one time tried to use ANY for combined MX+A lookups, which
> doesn't work.
That would be true and relevant if sendmail did that. Requesting ANY,
not getting all of the MX, A, and/or AAAA records needed, and failing
to continue making other DNS requests simply does not work. If sendmail
did that, then given what BIND has done for eons, that bug would have
been noticed immediately eons ago.
Tony Finch pointed out privately that it wasn't until sendmail 8.12
that stopped asking for ANY records. I found 8.11.6 on
sendmail/domain.c in 8.11.6 started by requesting ANY. However it
continued requesting AAAA, A, and/or MX and parsing ANSWER sections
until it got the records needed. It did not stop with the ANY response
unless the ANY response was dispositive (e.g contained all types or
NXDOMAIN). My superficial code reading says it ignored ADDITIONAL
sections and so ignored potentially interesting A or AAAA RRs in
ADDITIONAL sections. My quick side-by-side comparison of the old
8.11.6 and current 8.14.7 domain.c says that the relevant difference
is that 8.14.7 starts with A or AAAA and never tries ANY.
However, that is about dns_getcanonname(). getmxrr() in both 8.11.6
and 8.14 starts and ends with MX and never messes with ANY.
There is broken in that ANY scheme. It might or might not reduce
average DNS traffic for sending mail. I'd vote against it today for
various reasons, but that doesn't make it wrong.
There is an interesting comment in the 8.11.6 version of domain.c:
** The ANY query is really meant to prime
** the cache so this isn't dangerous.
If your SMTP client is very close to your recursive resolvers (typical
10 or 20 years ago), then making an ANY request that you ignore could
reduce your external DNS traffic by priming (not refreshing) the
resolver's cache. I don't know that getmxrr() in sendmail is not
called before dns_getcanonname(), which would prevent cache the priming
by an ANY request.
About chasing CNAMEs safely or otherwise, please recall the somewhat
controversial DontExpandCnames. The current cf/README says:
[False] If set, $[ ... $] lookups that
do DNS based lookups do not expand
CNAME records. This currently violates
the published standards, but the IETF
seems to be moving toward legalizing
this. For example, if "FTP.Foo.ORG"
is a CNAME for "Cruft.Foo.ORG", then
with this option set a lookup of
"FTP" will return "FTP.Foo.ORG"; if
clear it returns "Cruft.FOO.ORG". N.B.
you may not see any effect until your
downstream neighbors stop doing CNAME
lookups as well.
Vernon Schryver vjs at rhyolite.com
More information about the bind-users