[dns-operations] A problem with using DNAMEs in reverse lookups

Jeroen Massar jeroen at unfix.org
Sun Apr 3 08:42:16 UTC 2011


On 2011-Apr-03 10:36, Anand Buddhdev wrote:
> On 03/04/2011 10:19, Jeroen Massar wrote:
> 
>> Mail servers are just broken per DNS, even postfix does not properly
>> contact the right MXs, it connects to every single address of an MX
>> before going on to the next, even though the MX might respond with a
>> 3xx/4xx/5xx style response it will keep on connecting to the other AAAA
>> or A records, while it should give up on the MX and try the next MX instead.
> 
> That's debatable Jeroen: an MX record's multiple addresses may in fact
> be _separate_ machines, so I can argue that postfix is doing the right
> thing. That's my opinion anyway.

According to the SMTP RFCs an MX effectively becomes a single host, and
one should connect to first the AAAA addresses and then the A addresses
till you get an SMTP session. When that session says 3xx you should try
the next MX, not that same MX on a different address. When you get a
4xx/5xx you should fail.

Just as simple example why greylisting blows up:

$ORIGIN example.com.

	10	MX bigmx
bigmx	A	192.0.2.1
	A	192.0.2.2
	A	192.0.2.3
	A	192.0.2.4
	A	192.0.2.5
	A	192.0.2.6
	A	192.0.2.7

If that bigmx box greylists you, thus sends you back with 3xx for the
sending host to queue it, what do you think happens when you hammer it
on it's alternate addresses? :)

Greets,
 Jeroen



More information about the dns-operations mailing list