[time-nuts] Strange reports of bocked messages to timenuts

John Ackermann N8UR jra at febo.com
Sat May 17 21:27:14 UTC 2008 

All --

Thanks for the information on the MX record issues.  The problem
resulted from a changed configuration a couple of years ago where we
didn't go quite far enough in making sure that everything works --
febo.com has been on the net since something like 1996 (the domain was
actually registered in late 1994, but at first I used -- believe it or
not -- uucp for the mail link), and over that time there were various
gyrations that happened to keep DNS happy as the world changed.

The last change was reversing things so that meow.febo.com was the CNAME
and febo.com was the A record.  We did that to address some other
issues, and obviously forgot to change the MX record appropriately.
I'll do that as soon as Hamvention is over...

But what's interesting is that the error has been in place for over two
years, and this is the first time it's ever caused any problems.  And
I'm really not sure what the security implication is of an MX pointing
to a CNAME.  I can see that it could result in lower reliability by
putting an extra link in the DNS chain, but that's not really a security
problem.

Anyway, this will be fixed as soon as I have a chance.

John
----
Mike S said the following on 05/17/2008 10:52 AM:
> At 06:55 AM 5/17/2008, John Ackermann N8UR wrote...
>> I think this is some sort of weird backscatter problem; I've never seen
>> this message before.
>>
>> But I've unsubscribed this joconnell person in the hopes that will
>> stop it.
> 
> It will, but the root problem is at febo.com (failure to follow RFCs),
> which is resulting in message rejection and a bounce back to the
> Reply-To: addresses (including time-nuts at febo.com).
> 
>> > WHY DID THIS HAPPEN ?
>> > =====================
>> > 550 ######## DNS RHS BLACKLIST: http://www.rfc-ignorant.org ########
> 
> If you follow the link and look up febo.com, and find that "ns1.febo.com
> reports that febo.com has an MX (meow.febo.com) which ns1.febo.com says
> is a CNAME (to febo.com)"
> 
> RFC1912 says:
> 
>    Don't use CNAMEs in combination with RRs which point to other names
>    like MX, CNAME, PTR and NS.  (PTR is an exception if you want to
>    implement classless in-addr delegation.)  For example, this is
>    strongly discouraged:
> 
>            podunk.xx.      IN      MX      mailhost
>            mailhost        IN      CNAME   mary
>            mary            IN      A       1.2.3.4
> 
>    [RFC1034] in section 3.6.2 says this should not be done, and [RFC974]
>    explicitly states that MX records shall not point to an alias defined by
>    a CNAME.
> 
> But that is exactly what febo.com is doing:
> 
> dig -t MX febo.com
> ...
> ;; ANSWER SECTION:
> febo.com.               495834  IN      MX      10 meow.febo.com.
> 
> dig meow.febo.com
> ...
> ;; ANSWER SECTION:
> meow.febo.com.          573937  IN      CNAME   febo.com.
> febo.com.               193364  IN      A       24.123.66.139
> 
> Having said that, the system which is doing the bouncing (conwin.ie) is
> brain-dead and doing something even worse - sending the bounce with no
> From: header (I assume, since my email server ends up putting a local
> From: on it to make the message RFC legal).
> 
> 
>

More information about the Time-nuts_lists.febo.com mailing list