OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Greg A. Woods (woodsweird.com)
Date: Thu Nov 01 2001 - 12:23:13 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [ On Thursday, November 1, 2001 at 17:12:26 (+0000), Simon Waters wrote: ]
    > Subject: Re: "MX->CNAME considered harmful" considered harmful.
    >
    > No resource records should refer to CNAME's according to the
    > standards (Except CNAME records and even that is discouraged).

    Yes, exactly.

    > I'm not aware of many things breaking except where CNAME
    > chaining forces excessive lookups.

    The execssive lookups themselves can break, though they shouldn't in any
    "ideal" situation of course. However unless your resolver always uses
    TCP when making queries (and even then sometimes if/because it uses
    TCP!) there's a very good chance that it never operates in "ideal"
    circumstances! :-)

    > So if you did do this you
    > might lose the ability to receive mail from hideously old
    > versions of sendmail, DJB has redone his survey recently, so you
    > can probably find out what proportion of mail severs would be
    > affected if you know in what version of sendmail the behaviour
    > changed.

    If e-mail delivery is the only concern then there's very little that'll
    break. However SMTP clients and servers are not the only tools that
    make use of such records. There are a *LOT* of lookup, verification,
    test tools, etc., some of which could use their own implementations of
    low-level DNS lookups.

    > CNAME's were never terribly well thought out bit of the DNS
    > standards anyway, I'd say just avoid them as much as it is
    > reasonable to do so (Most people never need them).

    I think CNAMEs were actually quite well thought out -- it's just that it
    seems to be numan nature seems to encourage people to use things in ways
    that they are explicitly not supposed to. IIRC CNAMEs were really only
    meant to be used as a last-ditch mechanism to provide backwards
    compatability should anything ever have to be renamed (though they've
    more often been used to provide aliases with service-related names).

    The renaming of something more directly related to the infrastructure,
    such as a nameserver or SMTP server, _should_ be more difficult since it
    necessarily requires more planning and consideration. 

    -- 
							Greg A. Woods

    +1 416 218-0098      VE3TCP      <gwoodsacm.org>     <woodsrobohack.ca>
Planix, Inc. <woodsplanix.com>;   Secrets of the Weird <woodsweird.com>
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users