[Outages-discussion] [outages] CableOne DNS issue?
Jeremy Chadwick
jdc at koitsu.org
Sat Mar 25 11:37:19 EDT 2017
There is a very long discussion about this particular paragraph and its
wording over on the ietf.org ietf-smtp mailing list circa August
2016[1]. It's badly written, compounded by tremendous history going
back to RFCs 1034, 1035, 1123, and 2181. It's also been hashed out (at
even more length) on the bind-users mailing list circa January 2009[2].
Domain names are also a bit unique[3], which I'll cover last.
I'll try to outline it as best as I remember (I prefer to stick to mail
infrastructures and DNS that is does not require this type of memory,
i.e. have MX records that point to FQDNs with A/AAAA and be done with
it. I've always been a "stay away from CNAMEs" person). Assume in the
below case Email is being sent to user at foo.domain.com.
If the host has an MX record, and that MX record points to an FQDN that
is a CNAME, then this is bad (violates RFCs). Example of this erroneous
setup (it doesn't matter what some.other.place resolves to):
foo.domain.com. IN MX 10 dnsishard.domain.com.
dnsishard.domain.com. IN CNAME some.other.place.
If the host lacks have an MX record, but has an A/AAAA, then the MTA
client will connect to the A/AAAA. Example of this setup:
foo.domain.com. IN A 1.2.3.4
If the host has no MX or A/AAAA record, but instead has has a
CNAME, then the MTA will "start over from the beginning" with whatever
the CNAME is. This is what the "If a CNAME record is found, the
resulting name is processed as if it were the initial name" sentence
refers to. Example of this setup:
foo.domain.com. IN CNAME blah.com.
blah.com. IN MX 10 mail01.blah.com.
mail01.blah.com. IN A 1.2.3.4
Finally: if a domain name is to receive Email, the domain name itself
cannot consist solely of a CNAME; it must have an MX or A/AAAA (I
believe this is in RFC 1034 and 2181). You can find lots on Google
about this at least. Example of this erroneous setup is below; assume
Email is being sent to the address user at domain.com:
domain.com. IN CNAME blah.com.
I hope this covers it. My brain is telling me I'm missing an edge case,
but if so, I hope others will chime in and correct it. I'd just rather
not see a repeat of past discussions. :-)
[1]: https://www.ietf.org/mail-archive/web/ietf-smtp/current/msg08572.html
[2]: https://lists.isc.org/pipermail/bind-users/2009-January/thread.html#74944
[3]: http://cr.yp.to/im/cname.html
--
| Jeremy Chadwick jdc at koitsu.org |
| UNIX Systems Administrator http://jdc.koitsu.org/ |
| Making life hard for others since 1977. PGP 4BD6C0CB |
On Sat, Mar 25, 2017 at 01:59:31PM +0000, Greg Dickinson wrote:
> Are we certain that MX records aren't required? Per the RFC:
>
> " The lookup first attempts to locate an MX record associated with the
> name. If a CNAME record is found, the resulting name is processed as
> if it were the initial name. If a non-existent domain error is
> returned, this situation MUST be reported as an error."
>
> Greg Dickinson
> Network Engineer | Bryant Bank
>
> O: 205-917-2407 C: 205-234-6427
> www.bryantbank.com
>
>
>
> -----Original Message-----
> From: Outages-discussion [mailto:outages-discussion-bounces at outages.org] On Behalf Of Jeremy Chadwick
> Sent: Friday, March 24, 2017 11:50 PM
> To: frnkblk at iname.com
> Cc: outages-discussion at outages.org
> Subject: Re: [Outages-discussion] [outages] CableOne DNS issue?
>
> With regards to the first paragraph only: SMTP MTAs, per RFC 5321 Sec 5, should attempting connect to the DNS A record of the recipient domain.
> In other words: an MX record isn't necessarily required for SMTP flow (it's always highly recommended, however).
>
> Of course, if the MX record would normally point to an FQDN which has a different A record than the domain itself, then that would certainly cause problems. Same goes for if the authoritative NSes aren't resolving the domain's A record at all (your second paragraph).
>
> --
> | Jeremy Chadwick jdc at koitsu.org |
> | UNIX Systems Administrator http://jdc.koitsu.org/ |
> | Making life hard for others since 1977. PGP 4BD6C0CB |
>
> On Fri, Mar 24, 2017 at 09:27:01PM -0500, frnkblk--- via Outages wrote:
> > Was just alerted that our outbound email queues have a few messages to
> > cableone.net queued up, because there's no MX record (even Google and
> > OpenDNS don't have an MX record cached).
> >
> >
> >
> > DNSInspect (http://www.dnsinspect.com/cableone.net/10059114) is
> > showing that their two nameservers aren't resolving their A record.
> >
> >
> >
> > DownDetector is reporting issues:
> > http://downdetector.com/status/cable-one
> >
> >
> >
> > There's also few posts on Twitter, too:
> >
> > https://twitter.com/lucky_boym/status/845441576973295616
> >
> > https://twitter.com/AnonySerb/status/845441954599092224
> >
> >
> >
> > And just now posted, from CableONE:
> >
> > https://twitter.com/cableONE/status/845460682560688128
> >
> >
> >
> > Frank
> >
>
> > _______________________________________________
> > Outages mailing list
> > Outages at outages.org
> > https://puck.nether.net/mailman/listinfo/outages
>
> _______________________________________________
> Outages-discussion mailing list
> Outages-discussion at outages.org
> https://puck.nether.net/mailman/listinfo/outages-discussion
> NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, print, save, copy, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete copies. Thank you.
>
> _______________________________________________
> Outages-discussion mailing list
> Outages-discussion at outages.org
> https://puck.nether.net/mailman/listinfo/outages-discussion
More information about the Outages-discussion
mailing list