Message-Id: <9610041804.AA26204@lupine.techfak.uni-bielefeld.de>
To: drums@cs.utk.edu
Subject: Re: cname lookup effort 
In-Reply-To: Your message of "04 Oct 1996 16:07:30 -0000."
             <19961004160730.19279.qmail@koobera.math.uic.edu> 
Date: Fri, 04 Oct 1996 20:04:05 +0200
From: Peter Koch <pk@TechFak.Uni-Bielefeld.DE>


> For a MAIL command, there's no reason for the client to be interested in
> anything other than the CNAME result.

1) CNAME query succeeds
2) CNAME query fails
   a) NXDOMAIN
   b) NOERROR

(1) and (2a) indicate violations of RFC1123 but (2b) may or may not, depending
on what RRs really exist for the domain name in question. Take the following
example:
	cs.nowhere.edu owns neither A nor MX RRs.  Upon receiving a
	"MAIL FROM: juser@cs.nowhere.edu" you check for a CNAME for
	"cs.nowhere.edu" and the answer is case (2b). However, the mail
	address is invalid, so nothing is won.

If the client is trying to verify the input it should do the complete work.
The main requirement is that the domain name must be an FQDN that "identifies
a host directly or is an MX name", so for a test these two cases should be
checked for. Then the answer section of the DNS response can be searched
for CNAME RRs. The CNAME ban is marginal.

> point. The question is whether, _given_ that DNS has records violating
> this common assumption, the client is violating RFC 1123. Does ``cannot
> be a CNAME'' mean ``cannot be a domain with exactly one record, namely a
> CNAME''?
The mail system is not supposed to be DNS debugging tool. Detecting or
preventing those violations should be left to the DNS, so one should be
allowed to trust a CNAME being unique. This will not violate the robustness
principle.

-Peter