OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: HELO is CNAME -> reject ??
From: Bodo Moeller (bmcdc.informatik.tu-darmstadt.de)
Date: Thu Apr 13 2000 - 04:51:27 CDT

On Wed, Apr 12, 2000 at 04:37:49PM -0400, Greg A. Woods wrote:

>> [1] Because of DNS TTLs, the first paragraph dictates a complicated
>> procedur for host renaming for IP adresses from which SMTP mail is
>> sent: First, add the new name and keep the old A and PTR records.
>> Then, determine when the secondary DNS servers have obtained the
>> updated zone files. Then, after the TTL for the old data has
>> expired, the mail server finally may use the new host
>> identification in its HELO messages; at this point, after
>> waiting a couple of minutes for any pending HELO verifications
>> by remote hosts, the old host name may finally be removed from
>> the zone files. I doubt this is often done correctly.

> The server may use the new name as soon as the new zone is updated in
> all of the advertised servers (and the appropriate in-addr.arpa zone is
> updated too, of course). There's no need to wait for the old data to
> expire.

Yes there is. Before the TTL has expired, the verifying SMTP servers
may have results from old PTR lookups in cache; so they won't
notice that there is now an additional name for the IP address
if they are doing PTR verification. If they are just doing
A record verification, the relevant TTL is the MINIMUM field
from the zone's SOA; see RFC 2308, "Negative Caching of DNS Queries
(DNS NCACHE)". (Usually the TTL for existing entries is the same as
the MINIMUM field because named uses the latter as default TTL;
i.e. positive and negative caching typically use the same TTL.)
Only if you are sure that no-one has looked up the new host name before
it existed, you can ignore the possibility of negative caching; but
host names are not always unpredictable.