kyle-qmail at memoryhole
Oct 23, 2008, 9:34 AM
Post #4 of 16
-----BEGIN PGP SIGNED MESSAGE-----
On Thursday, October 23 at 11:23 AM, quoth Vahid Moghaddasi:
> After so many years of faithful delivery, we have just noticed that
> all the mails to *.ibm.com fails with
> CNAME_lookup_failed_temporarily._(#4.4.3)/ and after queuelifetime it
> bounces back to user.
It would appear that IBM is violating the DNS spec, and sending
responses that are 716 bytes long.
> I upgraded a few servers from netqmail-1.05 to 1.06 which I assume
> has the DNS patch already in it
Why would you assume that?
Netqmail's website describes its patches as "the barest minimum number
of changes", fixing "only those things which are out-and-out wrong".
This DNS issue is NOT something that is out-and-out wrong on qmail's
part. On the contrary, IBM is wrong. The DNS standard (RFC 1035,
section 4.2.1) specifies that the maximum legal DNS response size is
Messages carried by UDP are restricted to 512 bytes (not counting
the IP or UDP headers). Longer messages are truncated and the TC
bit is set in the header.
Qmail is obeying the DNS standard, and truncating messages that are
longer than 512 bytes. If people obey the DNS standard, qmail works
just fine. It is only when people violate that standard that qmail
stops being able to resolve their host names.
Thinking reasonably, any requirement that we impose in the DNS spec
will eventually be violated by someone. You could argue that qmail
should be able to handle any DNS response that can fit into a single
UDP packet (which has a maximum payload of 65,527 bytes). But what if
the server sends response packets in the wrong format? Why should the
internal format of the response specified by the DNS protocol be
treated as any more sacred than the "only 512 bytes" requirement? They
are equally arbitrary. At some point you have to say "no, that is
wrong, if you send invalid DNS packets, I won't understand them." As a
matter of policy, there is a balancing act to be done here: do you
change your software to attempt to compensate for protocol violations
(thereby encouraging a de-facto rewriting of the DNS spec), or do you
obey the DNS protocol? How much of a protocol violation should your
server be willing to tolerate? The netqmail folks (and I consider
myself as one of them) have chosen to balance this question by
strongly encouraging people to abide by the specifications of the
protocols. There's nothing stopping you from using the DNS patch, of
course. But fundamentally, IBM is sending invalid responses, and they
need to fix that. Other large companies (such as AOL) have, for some
short periods of time, also violated the DNS spec in this and similar
ways, but with prodding, they have all corrected their software to
conform to the standard.
> Do I need to apply the patches (DNS and other) or it is already
> applied with 1.06?
You'll need to apply the DNS patch yourself, yes.
I am not myself apt to be alarmed at innovations recommended by
reason. That dread belongs to those whose interests or prejudices
shrink from the advance of truth and science.
-- Thomas Jefferson to John Manners, 1814
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!
-----END PGP SIGNATURE-----