> On Mar 9, 2015, at 10:54 AM, Tony Finch <d...@dotat.at> wrote: > > D. J. Bernstein <d...@cr.yp.to> wrote: > >> My "qmail" software is very widely deployed (on roughly 1 million SMTP >> server IP addresses) and, by default, relies upon ANY queries in a way >> that is guaranteed to work by the mandatory DNS standards. > > There are three bugs in the way qmail uses ANY queries. > > (1) qmail uses ANY queries for domain canonicalization on outgoing > messages, as specified by RFC 1123. But canonicalization is not required > by the current SMTP specification. It is a waste of time. Fixing this bug > would make bug (3) moot. > > (2) qmail's DNS response buffer is too small to accommodate a complete DNS > message, so it fails if it gets a large response. It uses the low-level > libc resolver API which can easily handle large responses, including > fallback to TCP, so it is a pity that qmail breaks this part of the > resolver's functionality. This bug means it is not guaranteed to work. > > (3) Using an ANY query suppresses alias processing, so qmail makes a > series of queries to follow CNAME chains. This is inefficient and > wasteful. If you make an A or MX query, the DNS server will chase the > CNAME chain for you, so you only need to make one query to get the > canonical name.
Even ignoring if qmail is “broken”. (I would rather classify it as, could do better), depreciating the ANY qtype is going to have some significant side effects of users troubleshooting DNS problems. I’m very sensitive to the abuse of ANY queries, but this is something that I feel there are sufficient controls that exist to mitigate the issues, namely using TC=1 to direct well behaving clients to receive a valid response. dnsop-any-notimp violates the principle of least surprise in technology by returning NOTIMP where Paul Vixie suggested NOERROR/ANCOUNT=0 would be more appropriate with the existing definitions. Much of this is triggered by bad coding practices and bad networking examples that are littered around codebases, e.g.: gethostbyname() vs getnameinfo() and by broken behaviors by nscd and other OS/LIBC implementations that also violate the principle of least surprise. - Jared _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
