[dns-operations] dnsop-any-notimp violates the DNS standards

Tony Finch dot at dotat.at
Mon Mar 9 14:54:26 UTC 2015


D. J. Bernstein <djb at cr.yp.to> wrote:

> My "qmail" software is very widely deployed (on roughly 1 million SMTP
> server IP addresses) and, by default, relies upon ANY queries in a way
> that is guaranteed to work by the mandatory DNS standards.

There are three bugs in the way qmail uses ANY queries.

(1) qmail uses ANY queries for domain canonicalization on outgoing
messages, as specified by RFC 1123. But canonicalization is not required
by the current SMTP specification. It is a waste of time. Fixing this bug
would make bug (3) moot.

(2) qmail's DNS response buffer is too small to accommodate a complete DNS
message, so it fails if it gets a large response. It uses the low-level
libc resolver API which can easily handle large responses, including
fallback to TCP, so it is a pity that qmail breaks this part of the
resolver's functionality. This bug means it is not guaranteed to work.

(3) Using an ANY query suppresses alias processing, so qmail makes a
series of queries to follow CNAME chains. This is inefficient and
wasteful. If you make an A or MX query, the DNS server will chase the
CNAME chain for you, so you only need to make one query to get the
canonical name.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Trafalgar: Easterly 5 or 6 in far southeast, otherwise northerly 4 or 5.
Moderate or rough. Mainly fair. Good.



More information about the dns-operations mailing list