Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3
Sam Varshavchik <mrsam@courier-mta.com> Sun, 04 April 2021 15:58 UTC
Return-Path: <mrsam@courier-mta.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 128763A0A0B for <ietf-smtp@ietfa.amsl.com>; Sun, 4 Apr 2021 08:58:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.435
X-Spam-Level: *
X-Spam-Status: No, score=1.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_PBL=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id koyi2tLQP8pA for <ietf-smtp@ietfa.amsl.com>; Sun, 4 Apr 2021 08:58:31 -0700 (PDT)
Received: from mailx.courier-mta.com (mailx.courier-mta.com [68.166.206.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C004C3A0A06 for <ietf-smtp@ietf.org>; Sun, 4 Apr 2021 08:58:31 -0700 (PDT)
Received: from monster.email-scan.com (monster.email-scan.com [::ffff:192.168.0.2]) (TLS: TLSv1.3,256bits,TLS_AES_256_GCM_SHA384) by www.courier-mta.com with UTF8SMTPS id 00000000002C0037.000000006069E21F.000034DA; Sun, 04 Apr 2021 11:58:23 -0400
Received: from monster.email-scan.com (localhost [127.0.0.1]) (IDENT: uid 1004) by monster.email-scan.com with UTF8SMTP id 000000000001E508.000000006069E21F.00004952; Sun, 04 Apr 2021 11:58:23 -0400
References: <20210402002416.1825171CC176@ary.qy> <70B5B7CCF6D64FBA195CCAA5@JcK-HP5>
Message-ID: <cone.1617551902.793499.18351.1004@monster.email-scan.com>
X-Mailer: http://www.courier-mta.org/cone/
From: Sam Varshavchik <mrsam@courier-mta.com>
To: ietf-smtp@ietf.org
Date: Sun, 04 Apr 2021 11:58:22 -0400
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=_monster.email-scan.com-18351-1617551902-0001"; micalg="pgp-sha1"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/mJh7-enscT_QK6env0e_ouTv6Vg>
Subject: Re: [ietf-smtp] MTS-STS validation when MX host points to a CNAME, violating RFC 2181 § 10.3
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Apr 2021 15:58:37 -0000
John C Klensin writes: > in5321 as just a clarification. My memory of that part of the > discussion in the late 1980s is very vague, but I think that it > includes some concern about the combination of performance, what > action should be taken on a CNAME loop if one were detected, and CNAME loops can happen on any lookup: MX, A, AAAA, or any other RR. When searching various DNS-related documentation I saw no exceptions for MX RRs, that distinguish their processing. I can't find anything explicitly mentioned in RFC 1035 regarding CNAME loops that occur in the process of doing MX lookups. What should happen is the same thing what should happen when getting a CNAME loop for any other query. Even PTR. In fact, at least at one point, CNAME aliases for PTR records were quite popular, in certain use cases. RFC 1035 defines CNAMEs as follows: # CNAME RRs cause no additional section processing, but name servers may # choose to restart the query at the canonical name in certain cases. See # the description of name server logic in [RFC-1034] for details. RFC 1035 then states: # If recursive service is requested and available, the recursive response # to a query will be one of the following: # # - The answer to the query, possibly preface by one or more CNAME # RRs that specify aliases encountered on the way to an answer. This is not qualified in any further way. If a recursive query for an MX record is received by a DNS server, it will resolve any CNAME alias. The next paragraph further cements this point. Section 4.3.2 then provides more color: # a. If the whole of QNAME is matched, we have found the # node. # # If the data at the node is a CNAME, and QTYPE doesn't # match CNAME, copy the CNAME RR into the answer section # of the response, change QNAME to the canonical name in # the CNAME RR, and go back to step 1. So, if an SMTP server uses a generic DNS resolver to look up MX records, an MX that's pointing to a CNAME will resolve just fine. Following the cite to RFC 1034, over there we find the following: # CNAME RRs cause special action in DNS software. When a name server # fails to find a desired RR in the resource set associated with the # domain name, it checks to see if the resource set consists of a CNAME # record with a matching class. If so, the name server includes the CNAME # record in the response and restarts the query at the domain name # specified in the data field of the CNAME record. The one exception to # this rule is that queries which match the CNAME type are not restarted. Finally: # Of course, by the robustness # principle, domain software should not fail when presented with CNAME # chains or loops; CNAME chains should be followed and CNAME loops # signalled as an error. It is clear that a generic DNS resolver will handle CNAMEs in the context of MX RRs no differently than any other RR. Earlier, I wrote: > So, if an SMTP server uses a generic DNS resolver to look up MX records, an > MX that's pointing to a CNAME will resolve just fine. Now, whether the SMTP server will accept this result is, of course, a different story. Prior to the current standard this wasn't clearly defined, and now it is prohibited. However, this distills this issue to the following; The specification's audience is mostly SMTP implementations. But the onus on complying to this requirement is on the owners and operators who configure their domains. And in the context of setting up and installing their DNS records, there's nothing wrong with installing a CNAME for an MX target. They'll run dig example.com mx They'll get an MX record for mail.example.com, then dig mail.example.com a they'll get a CNAME and and A record, and for all intents and purposes, DNS is set up correctly. Even better is that older DNS servers will helpfully include CNAME and A records automatically in the "additional data" part of the DNS response to an MX query. No additional DNS queries will be needed, to locate the actual MX, if the implementation is smart enough to check that part of the DNS response. I don't see this happening any more, but this used to happen more often than not.
- [ietf-smtp] MTS-STS validation when MX host point… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Sam Varshavchik
- Re: [ietf-smtp] MTS-STS validation when MX host p… Mark Andrews
- Re: [ietf-smtp] MTS-STS validation when MX host p… John Levine
- Re: [ietf-smtp] MTA-STS validation when MX host p… Viktor Dukhovni
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTA-STS validation when MX host p… John Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… John R Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Sam Varshavchik
- Re: [ietf-smtp] MTS-STS validation when MX host p… John Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Hector Santos
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Viktor Dukhovni
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Viktor Dukhovni
- Re: [ietf-smtp] MTS-STS validation when MX host p… John C Klensin
- Re: [ietf-smtp] MTS-STS validation when MX host p… Sam Varshavchik
- Re: [ietf-smtp] MTS-STS validation when MX host p… Viktor Dukhovni
- Re: [ietf-smtp] CNAME considered harmful, was MTS… John R Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… John R Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Arnt Gulbrandsen
- Re: [ietf-smtp] CNAME considered harmful, was MTS… John C Klensin
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… John C Klensin
- Re: [ietf-smtp] MTS-STS validation when MX host p… Mark Andrews
- Re: [ietf-smtp] on liberality, was MTS-STS_valida… John Levine
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] on liberality, was MTS-STS_valida… Dave Crocker
- Re: [ietf-smtp] MTS-STS validation when MX host p… Sam Varshavchik
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Bron Gondwana
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… Arnt Gulbrandsen
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas
- Re: [ietf-smtp] MTS-STS validation when MX host p… John C Klensin
- Re: [ietf-smtp] MTS-STS validation when MX host p… Kristijonas Lukas Bukauskas