Is Hotmail in the habit of ignoring MX records?

Mon Jul 30 17:03:30 UTC 2012

In message <CAP-guGVuNoqRhGw_UMVQtkJ-zToM8NGB2aLk=wjtc0J7Fh8XUw at mail.gmail.com>, William Herrin writes:
> On Thu, Jul 26, 2012 at 10:45 PM, Mark Andrews <marka at isc.org> wrote:
> > In message <B59A4092-CE2F-44E4-84F9-77C18493AD95 at kapu.net>, Michael J Wise writ
> > es:
> >> And maybe an endless loop for an MX lookup might be what is causing =
> >> hotmail to panic and throw out the MX records.
> >
> > You don't lookup MX records for MX targets.  This is basic MTA
> > processing.
> 
> Correct. An MX record points to a label containing one or more address
> records. It does not chain. In principle the MX record could point to
> a CNAME record which then chains until it reaches an address record
> but I wouldn't depend on such a configuration working correctly. Ditto
> the MX lookup fetching a CNAME which chains until it reaches a label
> with an MX record.
> 
> > You don't depend on ALL (ANY) returning MX records as they may not
> > be in the cache.  You need to make a explict MX query you get no
> > MX records are returned in response to a ALL query.
> 
> Also correct.
> 
> > If the MX lookup fails, as apposed to returns nodata, you don't
> > lookup the A/AAAA records and synthesis a MX record.  You treat it
> > as a soft error and queue for retry later.  Again this is basic MTA
> > processing.
> 
> Maybe. In principle this is correct but as you wander through various
> bits of software in the name lookup process (which often consults more
> than just the DNS -- even today DNS isn't the only game in town) it's
> pretty easy to lose track of the difference between lookup failure and
> success:no data.

But it is the only ones that returns MX records.  If that step
errors you need to retry later.  If you get NXDOMAIN you go onto
other address sources.

> Think about it... how is the MTA to respond if the primary lookup
> reports success:no data (e.g. /etc/hosts) but a second tier lookup
> (e.g. DNS) reports lookup failure? What if DNS is third tier and the
> second tier is some kind of CIFS or NIS lookup which fails?

MX records can't be lookup up in /etc/hosts or in CIFS / NIS.  You
only look for address records *after* the MX lookup fails.

> Or reports
> success:no data. Or the DNS gets translated through a middleman (like
> NIS) which doesn't preserve the difference between fail and success no
> data. Does the whole lookup fail because part did? Gets ambiguous.
> 
> Further, falling back to the address lookup in the absence of MX
> records is correct behavior for an MTA.

The key words above are "in the absence".  Until you have determined
that they are absent you don't fall back.

> What *should* happen here is that the guy's web server should reject
> the port 25 connection (an SMTP soft fail condition) and on the next
> retry hotmail should find the MX record and follow it.

No.  It is perfectly legal for A to accept mail for B, B for C, C
for D and D for A with all mail being delivered to a host with a
different name than the mail domain.  It is not and never has been
correct processing to lookup addresses records for a domain if the
MX lookup fails.  nodata/nxdomain are not failures.

> Either way, I think I'd have to consider this -advanced- MTA
> processing. You have to really know your stuff to get this one right.

No.  This is the behaviour you get with a MX oblivious MTA.

> Regards,
> Bill Herrin
>
>
>
> --
> William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
-- 
Mark Andrews, ISC 1 Seymour St., Dundas
Valley, NSW 2117, Australia PHONE: +61 2 9871 4742
INTERNET: marka at isc.org