Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3

Sam Varshavchik <mrsam@courier-mta.com> Sun, 04 April 2021 15:58 UTC

Return-Path: <mrsam@courier-mta.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 128763A0A0B for <ietf-smtp@ietfa.amsl.com>; Sun, 4 Apr 2021 08:58:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.435
X-Spam-Level: *
X-Spam-Status: No, score=1.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_PBL=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id koyi2tLQP8pA for <ietf-smtp@ietfa.amsl.com>; Sun, 4 Apr 2021 08:58:31 -0700 (PDT)
Received: from mailx.courier-mta.com (mailx.courier-mta.com [68.166.206.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C004C3A0A06 for <ietf-smtp@ietf.org>; Sun, 4 Apr 2021 08:58:31 -0700 (PDT)
Received: from monster.email-scan.com (monster.email-scan.com [::ffff:192.168.0.2]) (TLS: TLSv1.3,256bits,TLS_AES_256_GCM_SHA384) by www.courier-mta.com with UTF8SMTPS id 00000000002C0037.000000006069E21F.000034DA; Sun, 04 Apr 2021 11:58:23 -0400
Received: from monster.email-scan.com (localhost [127.0.0.1]) (IDENT: uid 1004) by monster.email-scan.com with UTF8SMTP id 000000000001E508.000000006069E21F.00004952; Sun, 04 Apr 2021 11:58:23 -0400
References: <20210402002416.1825171CC176@ary.qy> <70B5B7CCF6D64FBA195CCAA5@JcK-HP5>
Message-ID: <cone.1617551902.793499.18351.1004@monster.email-scan.com>
X-Mailer: http://www.courier-mta.org/cone/
From: Sam Varshavchik <mrsam@courier-mta.com>
To: ietf-smtp@ietf.org
Date: Sun, 04 Apr 2021 11:58:22 -0400
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=_monster.email-scan.com-18351-1617551902-0001"; micalg=pgp-sha1; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/mJh7-enscT_QK6env0e_ouTv6Vg>
Subject: Re: [ietf-smtp] =?utf-8?q?MTS-STS_validation_when_MX_host_points_to_?= =?utf-8?q?a_CNAME=2C_violating__RFC_2181_=C2=A7_10=2E3?=
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Apr 2021 15:58:37 -0000

John C Klensin writes:

> in5321 as just a clarification.  My memory of that part of the
> discussion in the late 1980s is very vague, but I think that it
> includes some concern about the combination of performance, what
> action should be taken on a CNAME loop if one were detected, and

CNAME loops can happen on any lookup: MX, A, AAAA, or any other RR. When  
searching various DNS-related documentation I saw no exceptions for MX RRs,  
that distinguish their processing. I can't find anything explicitly  
mentioned in RFC 1035 regarding CNAME loops that occur in the process of  
doing MX lookups. What should happen is the same thing what should happen  
when getting a CNAME loop for any other query. Even PTR. In fact, at least  
at one point, CNAME aliases for PTR records were quite popular, in certain  
use cases.

RFC 1035 defines CNAMEs as follows:

# CNAME RRs cause no additional section processing, but name servers may
# choose to restart the query at the canonical name in certain cases.  See
# the description of name server logic in [RFC-1034] for details.

RFC 1035 then states:

#  If recursive service is requested and available, the recursive response
#  to a query will be one of the following:
#
#   - The answer to the query, possibly preface by one or more CNAME
#     RRs that specify aliases encountered on the way to an answer.

This is not qualified in any further way. If a recursive query for an MX  
record is received by a DNS server, it will resolve any CNAME alias. The  
next paragraph further cements this point. Section 4.3.2 then provides more  
color:

#         a. If the whole of QNAME is matched, we have found the
#            node.
#
#            If the data at the node is a CNAME, and QTYPE doesn't
#            match CNAME, copy the CNAME RR into the answer section
#            of the response, change QNAME to the canonical name in
#            the CNAME RR, and go back to step 1.
 
So, if an SMTP server uses a generic DNS resolver to look up MX records, an  
MX that's pointing to a CNAME will resolve just fine.

Following the cite to RFC 1034, over there we find the following:

# CNAME RRs cause special action in DNS software.  When a name server
# fails to find a desired RR in the resource set associated with the
# domain name, it checks to see if the resource set consists of a CNAME
# record with a matching class.  If so, the name server includes the CNAME
# record in the response and restarts the query at the domain name
# specified in the data field of the CNAME record.  The one exception to
# this rule is that queries which match the CNAME type are not restarted.

Finally:

#                                 Of course, by the robustness
# principle, domain software should not fail when presented with CNAME
# chains or loops; CNAME chains should be followed and CNAME loops
# signalled as an error.

It is clear that a generic DNS resolver will handle CNAMEs in the context of  
MX RRs no differently than any other RR. Earlier, I wrote:

> So, if an SMTP server uses a generic DNS resolver to look up MX records, an  
> MX that's pointing to a CNAME will resolve just fine.

Now, whether the SMTP server will accept this result is, of course, a  
different story. Prior to the current standard this wasn't clearly defined,  
and now it is prohibited. However, this distills this issue to the following;

The specification's audience is mostly SMTP implementations. But the onus on  
complying to this requirement is on the owners and operators who configure  
their domains. And in the context of setting up and installing their DNS  
records, there's nothing wrong with installing a CNAME for an MX target.  
They'll run

dig example.com mx

They'll get an MX record for mail.example.com, then

dig mail.example.com a

they'll get a CNAME and and A record, and for all intents and purposes, DNS  
is set up correctly.

Even better is that older DNS servers will helpfully include CNAME and A  
records automatically in the "additional data" part of the DNS response to  
an MX query. No additional DNS queries will be needed, to locate the actual  
MX, if the implementation is smart enough to check that part of the DNS  
response. I don't see this happening any more, but this used to happen more  
often than not.