Re: [exim-dev] [Bug 2264] DNS lookups should not chase CNAME…

Top Page

Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 2264] DNS lookups should not chase CNAME chains


> On Jun 9, 2018, at 7:50 PM, Jeremy Harris via Exim-dev <exim-dev@???> wrote:
>
>> OK, that's what I'd expect, from this you can conclude
>> that "nomx.example" has no MX records.
>
> With a retry count of one, and the current coding, it failed
> when it hit that case. It was far simpler to loop once than
> try to rewrite all the code.


My concern would be that if the code is unable to draw the
right conclusion from just the initial response (i.e. it
does not parse all the records to build a chain to the
final target, and check for the presence or absence of
the answer for that target), then one extra query could
also be insufficient. CNAME chains can be multiple
elements long (10 is a popular limit). A classic
example is:

  $ dig +noall +ans +nocl +nottl -t a www.paypal.com
  www.paypal.com.         CNAME   geo.paypal.com.akadns.net.
  geo.paypal.com.akadns.net. CNAME hotspot-www.paypal.com.akadns.net.
  hotspot-www.paypal.com.akadns.net. CNAME wlb.paypal.com.akadns.net.
  wlb.paypal.com.akadns.net. CNAME www.paypal.com.edgekey.net.
  www.paypal.com.edgekey.net. CNAME e3694.a.akamaiedge.net.
  e3694.a.akamaiedge.net. A       104.123.10.240


which arrives as a single DNS response.

-- 
    Viktor.