OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Meng Weng Wong (mengwongdumbo.pobox.com)
Date: Thu Nov 01 2001 - 10:37:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Thu, Nov 01, 2001 at 02:54:11AM -0500, Greg A. Woods wrote:
    |
    | Unless you're prepared to fix some other RFCs then you can't get rid of
    | it. Remember this from RFC 974:
    |
    | Note that the algorithm to delete irrelevant RRs breaks if LOCAL has
    | a alias and the alias is listed in the MX records for REMOTE. (E.g.
    | REMOTE has an MX of ALIAS, where ALIAS has a CNAME of LOCAL). This
    | can be avoided if aliases are never used in the data section of MX
    | RRs.

    I addressed exactly this issue in my original argument. The
    complex phrasing of the above paragraph tends to
    short-circuit normal critical evaluation and produces a sort
    of cognitive kneejerk reaction.

    The RFC974 scenario above lost its strength when sendmail's
    Cw was introduced. Under postfix, mydestination solves the
    same problem.

    permit_mx_backup sees right through MX->CNAME->A chains and
    does the same thing as if it were an MX->A chain.

    | Besides that there are lots of instances where code would have to be
    | updated (I've got at least two instances myself!). Not everything does
    | lookups in such a way that further CNAMEs will be resolved!

    Could you provide more details please?

    I understand that the resolver library will, when given an
    alias, automatically perform the relevant A lookup and
    return the IP address of the canonical name.

    % perl -MNet::DNS -le 'my $res = new Net::DNS::Resolver; for
    ($res->search("rfc1912cname.mengwong.com")->answer) { next
    unless $_->type eq "A"; print $_->type . " " . $_->address
    }'
    A 208.210.125.21

    If the resolver instead returned only the CNAME record and
    expected the calling application to further resolve the
    canonical name to its IP address, then there would be a
    problem, because we can't expect all applications to do
    their own CNAME resolution.

    But the resolver library makes CNAMEs transparent to the
    calling application, so I don't see the objection.

    | Why do you want to make things more complex anyway? Why not K.I.S.S.
    | and just leave MX RRs as simple pointers to hostnames, the way they were
    | designed to be?

    I don't want to make things more complex. In practice I
    don't do MX->CNAME at all. What I am doing is playing
    scientist in search of The Truth; I submit that avoiding
    MX->CNAME is the postmaster's version of not stepping on
    cracks or walking under ladders.

    -
    To unsubscribe, send mail to majordomopostfix.org with content
    (not subject): unsubscribe postfix-users