Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/me…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 1461] New: dnssec use floods /var/log/messages
On Wed, Apr 09, 2014 at 11:55:13AM +0000, Jasen Betts wrote:

> > If Exim gets the MX name from DNS, what do I expect for the MX name's IP?
> > DNS too, or obeying nsswitch.conf by using the libc resolver?


The network addresses of MX hosts must also come from DNS.

> Under what circumstances is the DNS-served IP address of mx.fakemx.net of
> any use? I can put a more predictable value in /etc/hosts and quickly
> reject emails for which this is the only destination.


Unfortunately the APIs for searching /etc/hosts (i.e. getaddrinfo()
and friends) also typically fall back to DNS after failure to locate
records in DNS. However, this fallback typically uses the wrong
resolver flags and attepts to extend MX hostnames with domains on
the resolv.conf search list.

One can then end up connecting to completely the wrong host.

> > How trustworthy is an address I got from /etc/hosts? (But nss and the
> > libc resolver won't tell me the origin of the address anyway.)


Trust has nothing to do with it. Mixing DNS MX records with local
address lookups leads to unpredictable and potentially incorrect
behaviour.

-- 
    Viktor.