Re: DNS goofups galore...

From: Michael H. Warfield (
Date: Thu Feb 08 2001 - 19:31:20 EST

On Thu, Feb 08, 2001 at 04:11:39PM -0800, H. Peter Anvin wrote:
> "Michael H. Warfield" wrote:
> >
> > > Please explain how there is any different between an CNAME or MX pointing
> > > to an A record in a different SOA versus an MX pointing to a CNAME
> > > pointing to an A record where at least one pair is local (same SOA).
> >
> > Ah! But now you are placing conditions on it (that at least one
> > pair is local). That is the very fine distinction that makes up the
> > "not quite" in the "almost" above and the difference between the "should
> > not" vs the "must not" in the specifications. You basically can't qualify
> > it by saying "you can do this, but only if one pair is in the same SOA".

> No. My point is that potential for inefficiency is not a valid reason
> for banning something outright. This should be an administrative
> decision, nothing more.

        But, wait a minute. CNAME -> CNAME is a "must not". MX -> CNAME
is a "should not". The "should not" leaves it to be implimentation
dependent and not an outright ban. Sooo...

        I personally have no problem with Bind 9.x prohibiting an
MX -> CNAME, but that's an implimentation issue.

        In case people have tuned in late, there have been some rather
radical swings in Bind policy since Bind 4.x.

        Bind 8.x decided to ENFORCE (with a vengence) the character set
policies dictated by RFC. This was (so they claimed) to protect poorly
coded programs that were prone to blowing chunks and doing Chernobyl
imitations on getting illegal characters in host names. Of course that
also caused zones with underscores in names (more common than what you
would think) to crap all over themselves when unsuspecting (i.e. failure
to read warnings) admins upgraded.

        Bind 9.0 went back to the old 4.9 policy on characters (allow
what can be entered and poorly coded programs are on their own) but started
enforcing a requirement for a TTL directive and making the SOA TTL field
the true minimum TTL that it was defined as (instead of a default like
Bind 8 and 4 and previous used it as). I figured I was all set, since I,
of course, had upgraded all MY zone files already. Imagine my surprise
when 9.0 would not even load because OVER HALF of the 200+ zones I'm
responsible for or host did NOT have the $TTL directive! It was assholes
and elbows for a not so brief but really intense time while I updated those
$@$%#@ zone files!

        You don't like the Bind enforcement of the DNS policy, bitch to
the ISC bunch. They can be swayed (all too often, it appears). If enough
DNS administrators really want to go against the "should not", maybe
they will make it configurable (Actually, I didn't think it really outright
prohibited it in the first place, but... Oh well...) There are lots
of other things in the DNS that need to be killed DEAD with a stake
through the heart like CNAME with other data (what is THAT suppose to
mean). I run into lookups on sites with CNAMES and A records for a host!
I suppose one can come up with a hierachial reason for doing such
byzantine things, but do you REALLY want to? In applying the KISS
principle (admitedly an oxymoron when it comes to DNS) I can see some
people wanting to ban MX -> CNAME in general if, for no other reason,
than to insure that you will do it only if you have really STRONG
reasons for doing it.

> -hpa

> --
> <> at work, <> in private!
> "Unix gives you enough rope to shoot yourself in the foot."


 Michael H. Warfield    |  (770) 985-6132   |
  (The Mad Wizard)      |  (678) 463-0932   |
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to Please read the FAQ at

This archive was generated by hypermail 2b29 : Thu Feb 15 2001 - 21:00:13 EST