Loading ...
Sorry, an error occurred while loading the content.

Postfix DNS resolver blindly relying on cached Additional section?

Expand Messages
  • Dominik George
    Hi, while debugging the Google/IPv6 issue, we discovered something strange. Our uplink provider operates caching DNS servers, and they reply with a rather
    Message 1 of 11 , Oct 9, 2013
    • 0 Attachment
      Hi,

      while debugging the Google/IPv6 issue, we discovered something strange.
      Our uplink provider operates caching DNS servers, and they reply with a
      rather detailed Additional section when asked for MX records, but only
      with cached results.

      For example, if example.com has an MX record pointing to mx.example.com,
      and mx.example.com has one A and one AAAA record, then the caching DNS
      server will return as many of those records as it has cached in memory.
      As most systems using the cache seem to only ask for A records, A
      records appear to be cached more often than AAAA records, but that is
      irrelevant.

      Most tools, mainly libc's resolver, seem to ignore the Additional
      section and resolve relevant names on their owns, explicitly asking for
      the RR types they are itnerested in, and that's what seems to be
      appropriate. Postfix, however, seems to rely on the Additional section
      (if it has at least one RR for the MX host?), missing out on any records
      that might be there but not cached by the uplink DNS server.

      We do not quite see an situation where this might break badly, because
      normally one MX result is to be considered as good as any other, but I
      still wanted to ask whether this behaviour is intentional and the
      limitations are known.

      Cheers,
      Nik

      --
      <Natureshadow> Auf welchem Server liegt das denn jetzt…?
      <mirabilos> Wenn es nicht übers Netz kommt bei Hetzner, wenn es nicht
      gelesen wird bei STRATO, wenn es klappt bei manitu.

      PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296
    • Viktor Dukhovni
      ... Postfix does not look at additional records. However a local DNS cache on the machine running Postfix may well cache additional records from an upstream
      Message 2 of 11 , Oct 9, 2013
      • 0 Attachment
        On Thu, Oct 10, 2013 at 12:47:34AM +0200, Dominik George wrote:

        > Most tools, mainly libc's resolver, seem to ignore the Additional
        > section and resolve relevant names on their owns, explicitly asking for
        > the RR types they are itnerested in, and that's what seems to be
        > appropriate. Postfix, however, seems to rely on the Additional section
        > (if it has at least one RR for the MX host?), missing out on any records
        > that might be there but not cached by the uplink DNS server.

        Postfix does not look at additional records. However a local DNS
        cache on the machine running Postfix may well cache additional
        records from an upstream resolver, and if /etc/resolv.conf points
        at 127.0.0.1 (or perhaps its twin in the Postfix chroot jail), then
        Postfix may get those results in the answer section when it asks
        for the A records of MX hosts.

        > We do not quite see an situation where this might break badly, because
        > normally one MX result is to be considered as good as any other, but I
        > still wanted to ask whether this behaviour is intentional and the
        > limitations are known.

        This behaviour is not intentional, it is fictional.

        --
        Viktor.
      • Wietse Venema
        ... Confirmed, Postfix looks at the answer section only. Claims to the contrary are based on false speculation. Wietse
        Message 3 of 11 , Oct 9, 2013
        • 0 Attachment
          Viktor Dukhovni:
          > On Thu, Oct 10, 2013 at 12:47:34AM +0200, Dominik George wrote:
          >
          > > Most tools, mainly libc's resolver, seem to ignore the Additional
          > > section and resolve relevant names on their owns, explicitly asking for
          > > the RR types they are itnerested in, and that's what seems to be
          > > appropriate. Postfix, however, seems to rely on the Additional section
          > > (if it has at least one RR for the MX host?), missing out on any records
          > > that might be there but not cached by the uplink DNS server.
          >
          > Postfix does not look at additional records. However a local DNS
          > cache on the machine running Postfix may well cache additional
          > records from an upstream resolver, and if /etc/resolv.conf points
          > at 127.0.0.1 (or perhaps its twin in the Postfix chroot jail), then
          > Postfix may get those results in the answer section when it asks
          > for the A records of MX hosts.
          >
          > > We do not quite see an situation where this might break badly, because
          > > normally one MX result is to be considered as good as any other, but I
          > > still wanted to ask whether this behaviour is intentional and the
          > > limitations are known.
          >
          > This behaviour is not intentional, it is fictional.

          Confirmed, Postfix looks at the answer section only. Claims to
          the contrary are based on false speculation.

          Wietse
        • Dominik George
          ... Hmm, that leads us to the original question: Why does postfix sometimes not find the AAAA record for any given MX? -nik -- # apt-assassinate --help Usage:
          Message 4 of 11 , Oct 9, 2013
          • 0 Attachment
            > Confirmed, Postfix looks at the answer section only. Claims to
            > the contrary are based on false speculation.

            Hmm, that leads us to the original question:

            Why does postfix sometimes not find the AAAA record for any given MX?

            -nik

            --
            # apt-assassinate --help
            Usage: apt-assassinate [upstream|maintainer] <package>

            PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296
          • Wietse Venema
            ... Don t shoot the messenger of bad news. Ask the DNS server. Wietse
            Message 5 of 11 , Oct 9, 2013
            • 0 Attachment
              Dominik George:
              > > Confirmed, Postfix looks at the answer section only. Claims to
              > > the contrary are based on false speculation.
              >
              > Hmm, that leads us to the original question:
              >
              > Why does postfix sometimes not find the AAAA record for any given MX?

              Don't shoot the messenger of bad news. Ask the DNS server.

              Wietse
            • Viktor Dukhovni
              ... It does not fail to find it. It just uses IPv4. See: http://www.postfix.org/postconf.5.html#smtp_address_preference The documentation for
              Message 6 of 11 , Oct 9, 2013
              • 0 Attachment
                On Thu, Oct 10, 2013 at 01:58:45AM +0200, Dominik George wrote:

                > > Confirmed, Postfix looks at the answer section only. Claims to
                > > the contrary are based on false speculation.
                >
                > Hmm, that leads us to the original question:
                >
                > Why does postfix sometimes not find the AAAA record for any given MX?

                It does not fail to find it. It just uses IPv4. See:

                http://www.postfix.org/postconf.5.html#smtp_address_preference

                The documentation for

                http://www.postfix.org/postconf.5.html#inet_protocols

                is sadly I believe out of date. The sentence:

                When both IPv4 and IPv6 support are enabled, the Postfix SMTP
                client will attempt to connect via IPv6 before attempting to
                use IPv4.

                is no longer accurate. That is only true when

                smtp_address_preference = ipv6

                The correct description is:

                When both IPv4 and IPv6 support are enabled, the Postfix SMTP
                client, for Postfix versions prior to 2.8, will attempt to
                connect via IPv6 before attempting to use IPv4. Starting
                with 2.8 protocol preference is controlled via the new
                smtp_address_preference parameter.

                --
                Viktor.
              • Wietse Venema
                ... I make that: When both IPv4 and IPv6 support are enabled, the Postfix SMTP client will choose the protocol as specified with the smtp_address_preference
                Message 7 of 11 , Oct 9, 2013
                • 0 Attachment
                  Viktor Dukhovni:
                  > On Thu, Oct 10, 2013 at 01:58:45AM +0200, Dominik George wrote:
                  >
                  > > > Confirmed, Postfix looks at the answer section only. Claims to
                  > > > the contrary are based on false speculation.
                  > >
                  > > Hmm, that leads us to the original question:
                  > >
                  > > Why does postfix sometimes not find the AAAA record for any given MX?
                  >
                  > It does not fail to find it. It just uses IPv4. See:
                  >
                  > http://www.postfix.org/postconf.5.html#smtp_address_preference
                  >
                  > The documentation for
                  >
                  > http://www.postfix.org/postconf.5.html#inet_protocols
                  >
                  > is sadly I believe out of date. The sentence:
                  >
                  > When both IPv4 and IPv6 support are enabled, the Postfix SMTP
                  > client will attempt to connect via IPv6 before attempting to
                  > use IPv4.
                  >
                  > is no longer accurate. That is only true when
                  >
                  > smtp_address_preference = ipv6
                  >
                  > The correct description is:
                  >
                  > When both IPv4 and IPv6 support are enabled, the Postfix SMTP
                  > client, for Postfix versions prior to 2.8, will attempt to
                  > connect via IPv6 before attempting to use IPv4. Starting
                  > with 2.8 protocol preference is controlled via the new
                  > smtp_address_preference parameter.

                  I make that:

                  When both IPv4 and IPv6 support are enabled, the Postfix SMTP
                  client will choose the protocol as specified with the
                  smtp_address_preference parameter. Postfix versions before 2.8
                  attempt to connect via IPv6 before attempting to use IPv4.

                  Text should describe current behavior before historical behavior.

                  Wietse
                • Dominik George
                  ... That s not the case on two independent systems here. Whether IPv4 or IPv6 is used is completely random. This: for i in $(seq 1 30); do echo bar$i | mail -s
                  Message 8 of 11 , Oct 9, 2013
                  • 0 Attachment
                    > The correct description is:
                    >
                    > When both IPv4 and IPv6 support are enabled, the Postfix SMTP
                    > client, for Postfix versions prior to 2.8, will attempt to
                    > connect via IPv6 before attempting to use IPv4. Starting
                    > with 2.8 protocol preference is controlled via the new
                    > smtp_address_preference parameter.

                    That's not the case on two independent systems here. Whether IPv4 or
                    IPv6 is used is completely random. This:

                    for i in $(seq 1 30); do
                    echo bar$i | mail -s foo$i someone@...
                    done

                    has lead to ~10 mails being sent with IPv6 and ~20 mails being sent with
                    IPv4 in our tests.

                    -nik

                    --
                    <burny> Ein Jabber-Account, sie alle zu finden; ins Dunkel zu treiben
                    und ewig zu binden; im NaturalNet, wo die Schatten droh'n ;)!

                    PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296
                  • Viktor Dukhovni
                    ... The case is exactly as described. Random by design. This is the intended behaviour of smtp_address_preference = any with a static preference, Postfix
                    Message 9 of 11 , Oct 9, 2013
                    • 0 Attachment
                      On Thu, Oct 10, 2013 at 02:39:41AM +0200, Dominik George wrote:

                      > > The correct description is:
                      > >
                      > > When both IPv4 and IPv6 support are enabled, the Postfix SMTP
                      > > client, for Postfix versions prior to 2.8, will attempt to
                      > > connect via IPv6 before attempting to use IPv4. Starting
                      > > with 2.8 protocol preference is controlled via the new
                      > > smtp_address_preference parameter.
                      >
                      > That's not the case on two independent systems here. Whether IPv4 or
                      > IPv6 is used is completely random. This:

                      "The case" is exactly as described. Random by design. This is the
                      intended behaviour of

                      smtp_address_preference = any

                      with a static preference, Postfix may fail deliver mail to a
                      reachable destination, just because enough IPv4 or enough IPv6
                      addresses are dead. Remember, Postfix tries a limited number of
                      MX addresses per delivery.

                      --
                      Viktor.
                    • Patrik Båt
                      ... Oooh, nice to find this, but documentation isnt updated, and telling me that smtp_address_preference = ipv6 is insecure, is it still insecure tho? im using
                      Message 10 of 11 , Feb 11, 2014
                      • 0 Attachment
                        On 2013-10-10 02:18, Viktor Dukhovni wrote:
                        >
                        > It does not fail to find it. It just uses IPv4. See:
                        >
                        > http://www.postfix.org/postconf.5.html#smtp_address_preference
                        >
                        > The documentation for
                        >
                        > http://www.postfix.org/postconf.5.html#inet_protocols
                        >
                        > is sadly I believe out of date. The sentence:
                        >
                        > When both IPv4 and IPv6 support are enabled, the Postfix SMTP
                        > client will attempt to connect via IPv6 before attempting to
                        > use IPv4.
                        Oooh, nice to find this, but documentation isnt updated, and telling me
                        that smtp_address_preference = ipv6 is insecure, is it still insecure
                        tho? im using postfix 2.9.3 and postfix 2.9.6
                        > is no longer accurate. That is only true when
                        >
                        > smtp_address_preference = ipv6
                        >
                        > The correct description is:
                        >
                        > When both IPv4 and IPv6 support are enabled, the Postfix SMTP
                        > client, for Postfix versions prior to 2.8, will attempt to
                        > connect via IPv6 before attempting to use IPv4. Starting
                        > with 2.8 protocol preference is controlled via the new
                        > smtp_address_preference parameter.
                        >
                      • Wietse Venema
                        ... The Postfix 2.11 manpage says: When both IPv4 and IPv6 support are enabled, the Postfix SMTP client will choose the protocol as specified with the
                        Message 11 of 11 , Feb 11, 2014
                        • 0 Attachment
                          Patrik B?t:
                          > > The correct description is:
                          > >
                          > > When both IPv4 and IPv6 support are enabled, the Postfix SMTP
                          > > client, for Postfix versions prior to 2.8, will attempt to
                          > > connect via IPv6 before attempting to use IPv4. Starting
                          > > with 2.8 protocol preference is controlled via the new
                          > > smtp_address_preference parameter.

                          The Postfix 2.11 manpage says:

                          "When both IPv4 and IPv6 support are enabled, the Postfix SMTP client
                          will choose the protocol as specified with the smtp_address_preference
                          parameter. Postfix versions before 2.8 attempt to connect via IPv6
                          before attempting to use IPv4."

                          That is, it describes current behavior before historical behavior.

                          Wietse
                        Your message has been successfully submitted and would be delivered to recipients shortly.