It appears that Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> said: >> If you want to forbid CNAMEs, the application has to add special >> checks to notice the CNAMEs and object to them. > >This of course depends on the API used. If it is just getaddrinfo() and >friends, then indeed yes. But carefully designed MTAs will resort to >explicit DNS lookups when resolving SMTP server names obtained from DNS, >so as to avoid namespace confusion, so may well end up seeing the CNAME >as part of decoding the DNS response. Though of course, even then the >resolver will typically have performed the iteration, and returned a >chain plus any addresses. In my experience the resolver usually returns all the CNAME and DNAME records along with the A or AAAA, so the application has to iterate and skip the ones that are the wrong type. It wouldn't be hard to check for CNAME and DNAME during that iteration but it'd also be pretty pointless. So I think we agree. >> Hence in section 5.1. I would say that for maximum compatibility with >> earlier versions of this standard, recipient mail systems MUST NOT use >> CNAMEs to refer to MX records or the A or AAAA records that an MX >> points to. > >Actually, only the latter. The domain part of an email address is in >fact explicitly allowed in 5321 (don't recall whether also 2821) to be >a CNAME chain leading to the actual MX RRset. Ah, right. One less thing to un-break. >> Bonus question: the current text says nothing about DNAME. Well? Same thing, >> the library will resolve it unless you tell it not to so we might as well allow it. > >DNAMEs are not relevant, they're used for CNAME synthesis only, and so >all the MTA sees is any resulting CNAMEs. No, the DNAME shows up in the bundle of answers along with the synthesized CNAME. Any sensible application will skip over both, but they're there if for some reason you want to check and object. But I think we agree that you don't. R's, John >> PS: In answer to the question how many levels of CNAME to allow, the >> only answer is whatever your DNS library does. The dnsop WG has >> declined to set specific limits on CNAME or DNAME or any of the many >> other ways you can make long chains of DNS lookups, and we sure aren't >> going there either. > >Postfix picked 10 IIRC. Does it really follow the CNAMEs itself rather than letting the DNS resolver do it? If so, what does it do about the other endless chains such as cascading NS? -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
