[Top] [All Lists]

Re: MX to CNAME and (mis)interptretation of 2821

2007-12-14 13:18:57

On Dec 14, 2007, at 9:30 AM, Frank Ellermann wrote:

Hector Santos wrote:

IMHO, 2821bis should state that "putting CNAMES as the target of MX records is not allowed, as stated in RFC 2181"

Good idea, maybe it helps to reduce the debates about this issue.


this still won't change the BCP requirement for "Industry Ready" software to recognize it.

That BCP has no number yet, and Doug can be very creative to turn anything in DNS into some kind of attack, with a slight prejudice against SPF's mx-mechanism ;-)

Ouch. The macro expansion of SPF can initiate subsequent DNS transactions against domains constructed from email header and parameter components passed to the processing routines. These automatically generated transactions thereby permit a cached RR to generate sizeable amounts of independently targeted traffic trigged by spam, but not logged by SMTP. The spam and SPF records can be crafted to facilitate DNS poisoning and/or DDoS attacks at _zero_ additional cost to spammers. Do not describe my concern as a _slight_ prejudice. MX records were used to just demonstrate this concern with available open-source SPF routines. Imagine how bad it might get when full IPv6 support is added to accommodate RFC 3974. :^(