BIND8's useless messages

Gregory Neil Shapiro gshapiro at sendmail.org
Wed Jul 19 00:16:13 UTC 2000


-----BEGIN PGP SIGNED MESSAGE-----

andris> 3. Sendmail initially issues a query of record-type ANY which
andris> causes the retrieval of the bad SOA RR.  Sendmail notices
andris> the rejected query and (re-)queues the message.  Delivery
andris> ultimately fails if the the remote site's DNS is not fixed
andris> before the queue timeout interval is reached.

First, and foremost, sendmail *only* uses T_ANY for canonification
(dns_getcanonname()), *not* for delivery (MX retrieval) (getmxrr()).
However, even the above scenario doesn't break canonification:

		ret = res_querydomain(host, *dp, C_IN, qtype,
				      answer.qb2, sizeof(answer.qb2));

If it is rejected, ret < 0...

		if (ret <= 0)
		{
...
			if (errno == ECONNREFUSED || h_errno == TRY_AGAIN)
			{
...
			}
			if (h_errno != HOST_NOT_FOUND)
			{
				/* might have another type of interest */
				if (qtype == T_ANY)
				{
# if NETINET6
					qtype = T_AAAA;
# else /* NETINET6 */
					qtype = T_A;
# endif /* NETINET6 */
					continue;
				}
...

As you can see, unless the h_errno is HOST_NOT_FOUND (which it will not be
in your scenario), we do indeed try individual AAAA, A, and MX lookups.

andris> I haven't tested this, but sendmail's insistence on using the
andris> ANY query is alleged to also make it vulnerable to ignoring MX 
andris> RRs under the following scenario:

andris> @         8H IN A    1.2.3.4
andris> 4H IN MX   5  mailhost
andris> mailhost  8H IN A    1.2.3.9

andris> If the A RRs are still cached after the MX RR has expired,
andris> sendmail will (allegedly) attempt delivery to 1.2.3.4 instead
andris> of 1.2.3.9.

Again, we go to deliver, we do not do a T_ANY lookup.  Look at getmxrr()
and you will see all is well.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Comment: Processed by Mailcrypt 3.5.5, an Emacs/PGP interface
Charset: noconv

iQCVAwUBOXTzS3xLZ22gDhVjAQHOSQP+MtwiKLpLJTf8z6E45JF6LoeoOQ9a5Dy3
SyWcmNzoyi21TaUpXXKZ0I0d3y3wpJTCJppyjgy78BikXIf+xHENJcsSlRxckFNk
Tg9FAxzW1F8GsYx4aV+Fgee75UpVsYeKHaNV2RqXhgNb2a2Z7TD2e+QZveC2SgFP
5UCl1TSbXe8=
=q1cd
-----END PGP SIGNATURE-----



More information about the bind-workers mailing list