Re: [exim-dev] [Bug 2264] DNS lookups should not chase CNAME…

Top Pagina
Delete this message
Reply to this message
Auteur: Viktor Dukhovni
Datum:  
Aan: exim-dev
Onderwerp: Re: [exim-dev] [Bug 2264] DNS lookups should not chase CNAME chains


> On Jun 9, 2018, at 5:27 PM, admin--- via Exim-dev <exim-dev@???> wrote:
>
>
> Git Commit <git@???> changed:
>
>           What    |Removed                     |Added
> ----------------------------------------------------------------------------
>                 CC|                            |git@???

>
> --- Comment #2 from Git Commit <git@???> ---
> Git commit:
> https://git.exim.org/exim.git/commitdiff/d8d9f9301c9a31c826635bbdd334bb4be99ea05a
>
> commit d8d9f9301c9a31c826635bbdd334bb4be99ea05a
> Author:     Jeremy Harris <jgh146exb@???>
> AuthorDate: Thu Jun 7 18:08:22 2018 +0100
> Commit:     Jeremy Harris <jgh146exb@???>
> CommitDate: Thu Jun 7 18:08:22 2018 +0100

>
>    follow cname chains only one step.  bug 2264
> ----
> doc/doc-docbook/spec.xfpt        | 14 ++++++++++++++
> doc/doc-txt/ChangeLog            |  7 +++++++
> doc/doc-txt/OptionLists.txt      |  1 +
> src/README.UPDATING              |  8 ++++++++
> src/src/dns.c                    | 19 +++++++++++++------
> src/src/globals.c                |  1 +
> src/src/globals.h                |  1 +
> src/src/readconf.c               |  1 +
> src/src/verify.c                 |  5 ++---
> test/aux-var-src/tls_conf_prefix |  1 +
> test/stdout/0572                 |  2 ++
> test/stdout/0577                 |  1 +
> 12 files changed, 52 insertions(+), 9 deletions(-)


I am confused by the comments in the bug tracker and code.
Can you share the cases you found that make it necessary
to recurse one extra time?

I would expect the following behaviour from an iterative
resolver:

  Zone:
    cname.example. IN CNAME cname2.example.
    cname2.example. IN CNAME nomx.example.
    nomx.example. IN A 192.0.2.1
  Query:
    cname.example. IN MX ?
  Response: 
    Header.RCODE: NOERROR
    Answers:
      cname.example. IN CNAME cname2.example.
      cname2.example. IN CNAME nomx.example.


From which, without further recursion one may
conclude that "cname.example" has no MX RRs.
Per RFC5321, one can treat "nomx.example" as
the destination domain with an implicit MX
RRset of:

    nomx.example. IN MX 0 nomx.example.


The "AD" bit from the response indicates whether
the chain from "cname.example." to "nomx.example."
is secure, and opportunistic DANE support can be
engaged accordingly.

If the RCODE is "NXDOMAIN", the original name
or else the final CNAME target does not exist.

If the RCODE is "NOERROR" and MX records are
returned for the final CNAME target:

    cname3.example. IN CNAME cname4.example.
    cname4.example. IN CNAME hasmx.example.
    hasmx.example. IN MX 0 smtp.hasmx.example.

    
then the resolver should return an answer containing
both CNAMEs and the MX records of the final target.

If the resolver is unable to reach the end of the
chain (due to loops, timeouts, recursion limits, ...)
it should return SERVFAIL.

Are you seeing something else?

-- 
    Viktor.