[RFCI-Discuss] wirralnews.com

Derek J. Balling dredd at megacity.org
Fri Sep 7 07:44:04 EDT 2007 

On Sep 6, 2007, at 9:56 PM, Alex van den Bogaerdt wrote:
> It was my understanding that detecting the bogus MX record was
> no problem (and thus ". IN MX 0 mail.mydomain.com." would not
> trigger anyway) but detecting a bogus MX record in a bogus
> zone was the problem.  That's why I did not suggest actually
> checking the MX record (again).

Correct. Sorry if I misunderstood.

> You asked: "How can I tell WHO to query?". Well, dns delegation
> is defined but apparently not accepted by the nameservers which
> should have been authoritative.

But I have to keep those decisions completely separate from each other  
(NS determination versus MX lookup). For instance, more domains than  
you might suspect are set up like

	ROOT -> NS(1,2).DOMAINA.COM -> NS(A,B).OTHERDOMAIN.COM

In other words, where the roots say "DOMAINA's servers are auth", and  
DOMAINA says "not really, OTHERDOMAIN's are."

So, literally, the first thing we do is chase it down, looking for  
someone to authoritatively say "they're the nameserver". In this case,  
that fails.

> Still no authoritative answer, but you know where to look.

No, that's the fundamental issue... if you don't have an authoritative  
NS set, you DON'T know where to look. And if the people the parent  
zones said "they'll know for sure" tell you authoritatively, "There is  
no NS", then (programatically) you've got no way of disproving it,  
short of ignoring the DNS rules yourself.

> So far you've started the quest because of a bogus MX record, and
> you've found out the zone has no NS either.  Nevertheless you ask
> the other name servers, and you look for SOA records.

I can ask all the servers that the "parent" zone said was  
authoritative, and if they all tell me "nobody is authoritative", then  
nobody is authoritative.

> Technically speaking, "*.mx.*." may not be a valid hostname. But
> it is a hostname which has no A record associated with it.

But it's being returned by a DNS server who isn't ("legally")  
authoritative. It's be like me putting bogus MX records in a zone on  
my DNS server.... I can even claim to be authoritative, but if I'm not  
in the final authoritative NS set, my answer isn't worth the electrons  
or light that carried it to you.

> I really don't see why you would not list wirralnews.com. as it
> clearly matches http://www.rfc-ignorant.org/policy-bogusmx.php

It doesn't have any authoritative name servers. Thus, none of its  
"authoritative nameservers" are returning bogus records.

> Besides: how likely is it to forget adding NS records, SOA records
> *and* having a weird MX record like "@ 0 *.mx.*." and still having
> done all this by accident or as a result of ignorance ?  Wouldn't
> some legitimate but stupid user soon find out he does not receive
> replies and have it fixed?

Not at all, because very few resolvers "do the right thing" and chase  
down the NS chain first. They'll just do the MX query against the host  
the parent zone pointed them to, and if they don't get a referral  
request, they accept it.

That kind of incompetence happens all the time. Just ask the number of  
people who do:

xxxx IN SOA (  a b c d e ) ;
xxxx IN CNAME www.mymaindomain.com.

which we all know you can't do.

Cheers,
D


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2419 bytes
Desc: not available
Url : http://lists.megacity.org/pipermail/rfci-discuss/attachments/20070907/e2590c30/attachment.bin

More information about the RFCI-Discuss mailing list