Apply Jonathan de Boyne Pollard's any-to-cname patch. #97
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
modifies the behaviour of qmail-remote to remove the workaround that Dan Bernstein added on 1996-10-03 to work around a bug in BIND versions earlier than version 4.9.4. Applying this patch incurs a risk, but yields a benefit. It is published in order to allow others to experiment with removing the workaround. The risk is twofold: * qmail-remote will not be able to relay any mail if one's own proxy DNS server is such a version of BIND. This is trivially overcome by replacing such an old version of BIND either with a new version of BIND that doesn't have the problem or with some other proxy DNS server software entirely (such as dnscache). * qmail-remote will not be able to relay mail to domains whose content DNS servers use such versions of BIND, because the "CNAME" resource record lookup will fail. To gauge the level of this risk, notice that Dan's own 2002-12-17 survey of content DNS servers reports a mere 2% of the "*.com." content DNS servers as employing BIND version 4 (but doesn't report how many of that 2% employ BIND 4 versions earlier than 4.9.4). The benefit of this patch is that it reduces DNS query traffic and proxy DNS server cache load. * Without it, qmail-remote issues "ANY" queries. Some proxy DNS server softwares (albeit not dnscache) pass such queries through directly to the back end, meaning that every query issued by qmail-remote will result in a back-end query to a content DNS server, no matter if the necessary information is already cached. Moreover: The results of such a query, which are often a large collection of resource record sets of various types, are cached in the proxy DNS server's cache, even though almost none of them will be used. A caching proxy DNS server dedicated to serving qmail will end up with all sorts of cruft in its cache that isn't actually relevant to mail transportation, taking up space that could be better put to use caching those resource record sets that are relevant. * With it, qmail-remote issues "CNAME" queries. All of the mainstream proxy DNS server softwares in popular use (apart from dnscache, because it has problems in this regard) don't pass such queries directly through, and will answer them from their caches without issuing a back-end query at all if the data are already there and still current. Moreover: A caching proxy DNS server dedicated to serving qmail will not have its cache cluttered with irrelevant data.
alanpost
force-pushed
the
notqmail-dns-any-to-cname
branch
from
47c06f1 to
97a635e
Compare
schmonz
approved these changes
Sep 2, 2019
DerDakon
requested changes
Sep 2, 2019
mbhangui
approved these changes
Sep 2, 2019
|
Pleasure to meet you. This patch is hands down the most frequent issue we help with in the #qmail IRC channel on Freenode. If a person wanders in with delivery problems on their system it's likely to be resolved by applying this patch. The commit message is my good-faith effort to summarize your writing on the topic. I modified the author field in the commit to name you, as I have only curated your material. |
DerDakon
approved these changes
Sep 22, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
modifies the behaviour of qmail-remote to remove the workaround
that Dan Bernstein added on 1996-10-03 to work around a bug in
BIND versions earlier than version 4.9.4.
Applying this patch incurs a risk, but yields a benefit. It is
published in order to allow others to experiment with removing
the workaround.
The risk is twofold:
qmail-remote will not be able to relay any mail if one's own
proxy DNS server is such a version of BIND. This is trivially
overcome by replacing such an old version of BIND either with a
new version of BIND that doesn't have the problem or with some
other proxy DNS server software entirely (such as dnscache).
qmail-remote will not be able to relay mail to domains whose
content DNS servers use such versions of BIND, because the
"CNAME" resource record lookup will fail. To gauge the level of
this risk, notice that Dan's own 2002-12-17 survey of content DNS
servers reports a mere 2% of the "*.com." content DNS servers as
employing BIND version 4 (but doesn't report how many of that 2%
employ BIND 4 versions earlier than 4.9.4).
The benefit of this patch is that it reduces DNS query traffic
and proxy DNS server cache load.
Without it, qmail-remote issues "ANY" queries. Some proxy DNS
server softwares (albeit not dnscache) pass such queries through
directly to the back end, meaning that every query issued by
qmail-remote will result in a back-end query to a content DNS
server, no matter if the necessary information is already cached.
Moreover: The results of such a query, which are often a large
collection of resource record sets of various types, are cached
in the proxy DNS server's cache, even though almost none of them
will be used. A caching proxy DNS server dedicated to serving
qmail will end up with all sorts of cruft in its cache that isn't
actually relevant to mail transportation, taking up space that
could be better put to use caching those resource record sets
that are relevant.
With it, qmail-remote issues "CNAME" queries. All of the mainstream
proxy DNS server softwares in popular use (apart from dnscache,
because it has problems in this regard) don't pass such queries
directly through, and will answer them from their caches without
issuing a back-end query at all if the data are already there and
still current. Moreover: A caching proxy DNS server dedicated to
serving qmail will not have its cache cluttered with irrelevant
data.