On Wed, Feb 12, 2014 at 08:43:55PM +0000, Viktor Dukhovni wrote:
> Likely the DNS for this name is handled
> by a DNS load-balancing appliance that is poorly prepared to handle
> unexpected RR types (i.e. is a broken hack that works only in the
> expected case).
The breakage is deep! When you ask the authoritative server for
an MX record, it returns instead an A record for the requested name
and an MX record for an unrelated name (whose A record is in turn
in the additional section):
$ dig -t mx cluster1a.sa.messagelabs.com @ns.us.symsaas.net
; <<>> DiG 9.8.0rc1 <<>> -t mx cluster1a.sa.messagelabs.com
@ns.us.symsaas.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34142
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;cluster1a.sa.messagelabs.com. IN MX
;; ANSWER SECTION:
cluster1a.sa.messagelabs.com. 30 IN A 196.14.170.67
cluster1.sa.messagelabs.com. 30 IN MX 10
cluster1.sa.messagelabs.com.
;; AUTHORITY SECTION:
sa.messagelabs.com. 500 IN NS ns.us.symsaas.net.
sa.messagelabs.com. 500 IN NS ns.eu.symsaas.net.
sa.messagelabs.com. 500 IN NS ns.ap.symsaas.net.
;; ADDITIONAL SECTION:
cluster1.sa.messagelabs.com. 30 IN A 196.14.170.83
;; Query time: 13 msec
;; SERVER: 67.219.252.10#53(67.219.252.10)
;; WHEN: Wed Feb 12 21:59:42 2014
;; MSG SIZE rcvd: 174
I've not seen such creative mishandling of DNS for a while. If
anyone on this list is at Symantec (or Messagelabs), please report this
to the folks who operate the DNS gear. It is broken.
--
Viktor.
