[dns-operations] dnsop-any-notimp violates the DNS standards

Jared Mauch jared at puck.nether.net
Mon Mar 9 15:23:29 UTC 2015

> On Mar 9, 2015, at 10:54 AM, Tony Finch <dot at dotat.at> wrote:
> D. J. Bernstein <djb at cr.yp.to> wrote:
>> My "qmail" software is very widely deployed (on roughly 1 million SMTP
>> server IP addresses) and, by default, relies upon ANY queries in a way
>> that is guaranteed to work by the mandatory DNS standards.
> There are three bugs in the way qmail uses ANY queries.
> (1) qmail uses ANY queries for domain canonicalization on outgoing
> messages, as specified by RFC 1123. But canonicalization is not required
> by the current SMTP specification. It is a waste of time. Fixing this bug
> would make bug (3) moot.
> (2) qmail's DNS response buffer is too small to accommodate a complete DNS
> message, so it fails if it gets a large response. It uses the low-level
> libc resolver API which can easily handle large responses, including
> fallback to TCP, so it is a pity that qmail breaks this part of the
> resolver's functionality. This bug means it is not guaranteed to work.
> (3) Using an ANY query suppresses alias processing, so qmail makes a
> series of queries to follow CNAME chains. This is inefficient and
> wasteful. If you make an A or MX query, the DNS server will chase the
> CNAME chain for you, so you only need to make one query to get the
> canonical name.

Even ignoring if qmail is “broken”.  (I would rather classify it as, could do
better), depreciating the ANY qtype is going to have some significant side
effects of users troubleshooting DNS problems.

I’m very sensitive to the abuse of ANY queries, but this is something that
I feel there are sufficient controls that exist to mitigate the issues,
namely using TC=1 to direct well behaving clients to receive a valid response.

dnsop-any-notimp violates the principle of least surprise in technology by
returning NOTIMP where Paul Vixie suggested NOERROR/ANCOUNT=0 would be more
appropriate with the existing definitions.

Much of this is triggered by bad coding practices and bad networking examples
that are littered around codebases, e.g.: gethostbyname() vs getnameinfo() and
by broken behaviors by nscd and other OS/LIBC implementations that also violate
the principle of least surprise.

- Jared

More information about the dns-operations mailing list