Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-14 Thread Richard Clayton via mailop 
In message <601b01c7-1475-32e0-5aba-e595272e9...@tnetconsulting.net>,
Grant Taylor via mailop  writes

>My concern is that Yahoo / AOL isn't creating an arbitrary "every domain 
>must have an SOA record" and completely loosing sight of the fact that 
>SOAs belong to the /zone/ apex and are not associated with /domain/s.

One more time ... I can see two people have already explained this
clearly, but perhaps three's a charm ?

The check is whether there is an SOA record for the domain used in the
RFC5321 MAIL FROM. If there is not, then a check is made for an SOA for
the administrative domain (using the DMARC approach to determining the
administrative domain which involves consulting the Public Suffix List).

So if you use a.b.c.tld then the check will be for an SOA for a.b.c.tld
(which in many cases would not exist) and then for an SOA on c.tld

What is turning out to be problematic for some people is that "tld" is
any entry on the PSL -- so, to take the recent example when the MAIL
FROM is a.b.c.or.us then because or.us is on the PSL then checks will be
made for an SOA at a.b.c.or.us and then for c.or.us

If it is problematic then as Marcel pointed out, the postmaster team at
Yahoo are pleased to help.

It does seem to me (viz: this is a personal opinion and not that of
$DAYJOB) that some entries have been put onto the PSL by people who do
not fully understand that they are declaring "treat this as a TLD"
without thinking through all of the implications for cookies, for DMARC
and for anyone who is trying to understand whether a domain exists or
has merely been invented by a spammer -- so that every email they send
can evade domain-based reputation systems.

-- 
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-13 Thread Gellner, Oliver via mailop 

> On 13.07.2023 at 20:52 Robert L Mathews via mailop wrote:
>
> On 7/13/23 11:12 AM, Jarland Donnell via mailop wrote:
>> Perhaps it's going off topic and apologies if so, but this makes me wonder a 
>> second thing. Who is, and why are they, adding subdomains to the PSL when 
>> subdomains above that in hierarchy are in the same zone file?
>
> Some domains that offer service to other people via subdomains do this to 
> prevent sharing of cookies, etc., between the subdomains.

Yes, cookies are not supposed to be shared between different apex domains. 
Neither are DNS zones :)

—
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-13 Thread Gellner, Oliver via mailop 

> On 13.07.2023 at 17:55 Bill Cole via mailop wrote:
>
> It's not at all logically hard to meet that arbitrary requirement, you just 
> need a zone cut everywhere you have a MX record. I've run a DNS and mail 
> hosting environment that way. Zone files are very small and numerous. 
> *Logistically* changing an existing zone with many MXs for subdomains to that 
> model could be a  serious chore.

It has already been mentioned in the discussion last month but to reiterate: 
You can send emails from random.subdomain.scconsult.com to Yahoo just fine as 
long as scconsult.com has a SOA record, which is and has always been mandatory 
anyway. IMHO this requirement by Yahoo is a non-issue and automatically met by 
everyone except three groups:
1. Domains with misconfigured DNS as seen in this thread.
2. DNS zones that span over multiple different organizational domains as seen 
in the thread last month. Domains under different administrative control must 
not share the same SOA record.
3. Emails from made-up domain names, ie from spammers or other miscreants.

—
BR Oliver



dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-13 Thread Robert L Mathews via mailop 

On 7/13/23 11:12 AM, Jarland Donnell via mailop wrote:
Perhaps it's going off topic and apologies if so, but this makes me 
wonder a second thing. Who is, and why are they, adding subdomains to 
the PSL when subdomains above that in hierarchy are in the same zone file?


Some domains that offer service to other people via subdomains do this 
to prevent sharing of cookies, etc., between the subdomains.


For example, "a6a2a5081647f0470.awsglobalaccelerator.com" and 
"ab39e1e4da31f5b08.awsglobalaccelerator.com" are both run by Amazon AWS 
and in the same zone, but the content of those two subdomains is 
controlled by two entities who shouldn't trust each other, so 
"awsglobalaccelerator.com" is on the PSL to (hopefully) prevent their 
data from being combined.


--
Robert L Mathews
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-13 Thread Jarland Donnell via mailop 



Perhaps it's going off topic and apologies if so, but this makes me 
wonder a second thing. Who is, and why are they, adding subdomains to 
the PSL when subdomains above that in hierarchy are in the same zone 
file?


On 2023-07-13 13:06, Robert L Mathews via mailop wrote:


On 7/13/23 10:44 AM, Jaroslaw Rafa via mailop wrote:

If .tld is on PSL, then example.tld will be the organizational domain. 
And
it definitely should have its own zone file, so it should have SOA. I 
can't

imagine a scenario in which it doesn't.


An example is something like "apc.homeoffice.gov.uk": its parent 
"homeoffice.gov.uk" is on the PSL, but both appear to be part of the 
same zone:


$ dig apc.homeoffice.gov.uk SOA

... QUERY: 1, ANSWER: 0, AUTHORITY: 1 ...

;; AUTHORITY SECTION:
homeoffice.gov.uk.___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-13 Thread Robert L Mathews via mailop 

On 7/13/23 10:44 AM, Jaroslaw Rafa via mailop wrote:


If .tld is on PSL, then example.tld will be the organizational domain. And
it definitely should have its own zone file, so it should have SOA. I can't
imagine a scenario in which it doesn't.


An example is something like "apc.homeoffice.gov.uk": its parent 
"homeoffice.gov.uk" is on the PSL, but both appear to be part of the 
same zone:


 $ dig apc.homeoffice.gov.uk SOA

 ... QUERY: 1, ANSWER: 0, AUTHORITY: 1 ...

 ;; AUTHORITY SECTION:
 homeoffice.gov.uk.

--
Robert L Mathews
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-13 Thread Bill Cole via mailop 

On 2023-07-13 at 12:06:45 UTC-0400 (Thu, 13 Jul 2023 11:06:45 -0500)
Grant Taylor via mailop 
is rumored to have said:


On 7/13/23 10:49 AM, Bill Cole via mailop wrote:
It's not at all logically hard to meet that arbitrary requirement, 
you just need a zone cut everywhere you have a MX record. I've run a 
DNS and mail hosting environment that way. Zone files are very small 
and numerous. *Logistically* changing an existing zone with many MXs 
for subdomains to that model could be a  serious chore.


I question the veracity of "need a zone cut everywhere you have an MX 
record".


My current working understanding is "you need a zone cut for domains 
immediately subordinate of the PSL".


Right. I was speaking more directly to the OP's situation where they 
already have a big zone rooted at a PSL-listed domain and a lot of 
subdomains.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-13 Thread Jaroslaw Rafa via mailop 
Dnia 13.07.2023 o godz. 10:23:24 Robert L Mathews via mailop pisze:
> 
> But anyway, if other people have this trouble, note that it can
> happen whether the MAIL FROM domain name is directly at a PSL
> breakpoint or not. The issue is just that there's no SOA found at
> the MAIL FROM domain name level, nor at the PSL organizational
> domain level (if different), so you need to make one of those exist.

I wonder what can be the real scenario when PSL organizational domain has
no SOA.

If .tld is on PSL, then example.tld will be the organizational domain. And
it definitely should have its own zone file, so it should have SOA. I can't
imagine a scenario in which it doesn't.

IMHO, this would be only possible if example.tld and .tld itself would be
defined in the same zone file. But that contradicts the very meaning of
.tld being on PSL! If domain is on PSL, it means its subdomains belong to
different administrative entities than the main domain, so they obviously
should have their own zone files and SOA.

If anybody knows such a scenario, could you please explain it?
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-13 Thread Robert L Mathews via mailop 

On 7/12/23 9:42 PM, Felix Fontein via mailop wrote:

right now there is only a SOA record for `us.` itself and for
`ci.westfir.or.us.`, but for nothing inbetween.


Ugh, you're right, the customer has removed the delegation of 
westfir.or.us (I was testing on internal servers that still showed the 
results.)


And Marcel Becker describes that what Yahoo is actually doing is 
checking for an SOA in two places:


- the "domain name" used in a MAIL FROM, and
- the PSL-based organizational domain that's the parent of the subdomain 
(if any).


If neither exists, you get this error.

That explains the issue I saw (thanks!), although it means that the 
check isn't only run for MAIL FROM domains that are directly at a PSL 
delegation point, as was suggested in the thread in May.


I still think this is a check that's prone to false positives -- it's 
assuming things about other peoples DNS setups don't necessarily hold 
true. For example, even if a domain name is on the PSL, there's no 
reason that the same organization couldn't also host the DNS for the 
levels below it in the same zone file, in which case no SOA will exist 
for the level below.


But anyway, if other people have this trouble, note that it can happen 
whether the MAIL FROM domain name is directly at a PSL breakpoint or 
not. The issue is just that there's no SOA found at the MAIL FROM domain 
name level, nor at the PSL organizational domain level (if different), 
so you need to make one of those exist.


--
Robert L Mathews
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-13 Thread Grant Taylor via mailop 

On 7/13/23 10:49 AM, Bill Cole via mailop wrote:
It's not at all logically hard to meet that arbitrary requirement, you 
just need a zone cut everywhere you have a MX record. I've run a DNS and 
mail hosting environment that way. Zone files are very small and 
numerous. *Logistically* changing an existing zone with many MXs for 
subdomains to that model could be a  serious chore.


I question the veracity of "need a zone cut everywhere you have an MX 
record".


My current working understanding is "you need a zone cut for domains 
immediately subordinate of the PSL".


My (limited) personal testing supports not needing a zone cut for a 
sub-domain of my personal domain.




Grant. . . .
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-13 Thread Bill Cole via mailop 

On 2023-07-12 at 18:38:05 UTC-0400 (Wed, 12 Jul 2023 15:38:05 -0700)
Robert L Mathews via mailop 
is rumored to have said:

Today I had a customer complain that mail they send to AOL or Yahoo 
addresses was being returned with:


451 Message temporarily deferred due to unresolvable RFC.5321 from 
domain; see https://postmaster.yahooinc.com/error-codes


According to that page,

"- These errors indicate that the domain used to the right of the @ in 
the MAIL FROM does not appear to be a real domain.
- We determine if the domain name exists by using an SOA query; 
therefore, if multiple subdomains are used in MAIL FROM commands, then 
besides setting up a DNS A or MX record (perhaps using a wildcard), 
then SOA records must be set up as well."


This is surprising!



It's also not the whole story.

Yahoo does not reject mail from valid addresses in subdomains of 
scconsult.com which have MX or A records but no SOA or NS records.


I have done absolutely nothing to achieve that. I only know it to be 
true because someone mentioned this issue on some mailing list a few 
weeks ago and I tested myself.


Supposedly, Yahoo is basing this on the PSL, only requiring domains at 
registry boundaries to have SOAs. This much more subtle than but just as 
stupid as what their error page says.


It's not at all logically hard to meet that arbitrary requirement, you 
just need a zone cut everywhere you have a MX record. I've run a DNS and 
mail hosting environment that way. Zone files are very small and 
numerous. *Logistically* changing an existing zone with many MXs for 
subdomains to that model could be a  serious chore.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-13 Thread Grant Taylor via mailop 

On 7/13/23 2:24 AM, Gellner, Oliver via mailop wrote:
The requirement is actually less restrictive as it only requires a 
SOA record and not additional A,  or MX records in DNS. It is not 
necessary that every hostname has a SOA record, that indeed would be 
unreasonable. Yahoo only requires a SOA record for the organizational 
domain (base domain). As "or.us" has been added to the PSL and the 
owner wants it to be treated as a TLD, a SOA record is required for 
westfir.or.us, however none exists.
I keep thinking that someone at Yahoo / AOL has forgotten the difference 
between a domain and a zone.


But then I re-read / test things and realize that this seems to center 
on things directly in domains listed in -- what I'm understanding to be 
-- Mozilla's Public Suffix List.


So I'm left thinking that this is an artificial -- not necessarily 
arbitrary -- restriction that Yahoo / AOL is imposing o things directly 
in PSL.


My concern is that it's quite possible to have sub-domains in the parent 
zone.  This used to be common for a lot of smaller entities that simply 
relied on their parent domain to manage the child's DNS as part of the 
parent domain's zone, especially with small entities that had no 
technical need nor desire to host their own DNS.


I did some minimal testing after reading this thread and skimming thread 
that Andy linked to from earlier this year.  I sent from the address I'm 
using now to my wife's Yahoo account and it was delivered to her inbox 
just fine.  I also sent from an address in a subdomain (e.g. 
test.tnetconsulting.net) to my wife.  That second message was delivered 
to her spam folder, but it was delivered.


I don't like this restriction, but I don't object to it as long as it's 
central to the PSL and direct children therein.  If it ever extends 
further into children of the PSL, then I'll be upset -- for all the good 
that will do.


My concern is that Yahoo / AOL isn't creating an arbitrary "every domain 
must have an SOA record" and completely loosing sight of the fact that 
SOAs belong to the /zone/ apex and are not associated with /domain/s.




Grant. . . .
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-13 Thread Gellner, Oliver via mailop 
On 13.07.2023 at 00:38 Robert L Mathews via mailop wrote:

> Aside from anything else, it implies that SOA records can be easily added to 
> solve this, similar to how you add MX or A records. But that is usually not 
> the case: SOA records can exist only at a DNS zone delegation boundary, not 
> at the level of any arbitrary hostname.
>
> I know AOL/Yahoo folks are on here. IS it intentional to be this restrictive, 
> effectively introducing a new DNS requirement for mail senders? If so, this 
> is going to be a problem for many people.
>
> To give a concrete example of the difficulty, we host mail and DNS for 
> "cityname.or.us". Our system generates a DNS zone file that originally looked 
> like:
>
>  $ORIGIN cityname.or.us
>  @  SOA   ns1.tigertech.net. a.tigertech.net. ( 1 2 3 4 5 )
>  @  MX 0  mx.tigertech.net.
>  @  A 192.0.2.44
>  @  (SPF and DKIM records omitted for brevity)

The requirement is actually less restrictive as it only requires a SOA record 
and not additional A,  or MX records in DNS.
It is not necessary that every hostname has a SOA record, that indeed would be 
unreasonable. Yahoo only requires a SOA record for the organizational domain 
(base domain). As "or.us" has been added to the PSL and the owner wants it to 
be treated as a TLD, a SOA record is required for westfir.or.us, however none 
exists.

--
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-12 Thread Felix Fontein via mailop 
Hi,

> > the conclusions at that time were:
> > [...] > - It only affects domains on the Public Suffix List. i.e.
> > the sender domain is in some public namespace where Y! want to see
> > an SOA to show it's actually administered by someone.
> > 
> > Is that the case for you?  
> 
> No. I might as well reveal the actual domain names involved, since
> it's not particularly secret: it's "westfir.or.us" and
> "ci.westfir.or.us".
> 
> Neither of those are on the public suffix list, although "or.us" is.
> 
> Mail from *@ci.westfir.or.us is accepted if ci.westfir.or.us has an
> SOA record, and not accepted if it doesn't.
> 
> So if it's supposed to be only checking at delegated breakpoints on
> the PSL, it appears it has a bug, because there's no break between
> those two (unless I'm missing something obvious)?

right now there is only a SOA record for `us.` itself and for
`ci.westfir.or.us.`, but for nothing inbetween. Since both `us.` and
`or.us.` are public suffixes, Y! seems to expect a SOA record
somewhere below these two, so for `westfir.or.us.` or
`ci.westfir.or.us.` (or both).

Cheers,
Felix

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-12 Thread Robert L Mathews via mailop 

On 7/12/23 4:22 PM, Andy Smith via mailop wrote:


We last had this thread back in may


Yikes; not sure how I missed that. Thanks for the pointer.



the conclusions at that time were:
[...] > - It only affects domains on the Public Suffix List. i.e. the sender
   domain is in some public namespace where Y! want to see an SOA to
   show it's actually administered by someone.

Is that the case for you?


No. I might as well reveal the actual domain names involved, since it's 
not particularly secret: it's "westfir.or.us" and "ci.westfir.or.us".


Neither of those are on the public suffix list, although "or.us" is.

Mail from *@ci.westfir.or.us is accepted if ci.westfir.or.us has an SOA 
record, and not accepted if it doesn't.


So if it's supposed to be only checking at delegated breakpoints on the 
PSL, it appears it has a bug, because there's no break between those two 
(unless I'm missing something obvious)?


--
Robert L Mathews
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-12 Thread Andy Smith via mailop 
Hi,

On Wed, Jul 12, 2023 at 03:38:05PM -0700, Robert L Mathews via mailop wrote:
> see https://postmaster.yahooinc.com/error-codes
> 
> According to that page,
> 
> "- These errors indicate that the domain used to the right of the @ in the
> MAIL FROM does not appear to be a real domain.
> - We determine if the domain name exists by using an SOA query; therefore,
> if multiple subdomains are used in MAIL FROM commands, then besides setting
> up a DNS A or MX record (perhaps using a wildcard), then SOA records must be
> set up as well."
> 
> This is surprising!

We last had this thread back in may and the conclusions at that
time were:

- This is intentional and documented

- It only affects domains on the Public Suffix List. i.e. the sender
  domain is in some public namespace where Y! want to see an SOA to
  show it's actually administered by someone.

Is that the case for you?

The thread is here (login required):

https://list.mailop.org/private/mailop/2023-May/025051.html

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?

2023-07-12 Thread Robert L Mathews via mailop 
Today I had a customer complain that mail they send to AOL or Yahoo 
addresses was being returned with:


451 Message temporarily deferred due to unresolvable RFC.5321 from 
domain; see https://postmaster.yahooinc.com/error-codes


According to that page,

"- These errors indicate that the domain used to the right of the @ in 
the MAIL FROM does not appear to be a real domain.
- We determine if the domain name exists by using an SOA query; 
therefore, if multiple subdomains are used in MAIL FROM commands, then 
besides setting up a DNS A or MX record (perhaps using a wildcard), then 
SOA records must be set up as well."


This is surprising!

Aside from anything else, it implies that SOA records can be easily 
added to solve this, similar to how you add MX or A records. But that is 
usually not the case: SOA records can exist only at a DNS zone 
delegation boundary, not at the level of any arbitrary hostname.


I know AOL/Yahoo folks are on here. IS it intentional to be this 
restrictive, effectively introducing a new DNS requirement for mail 
senders? If so, this is going to be a problem for many people.


To give a concrete example of the difficulty, we host mail and DNS for 
"cityname.or.us". Our system generates a DNS zone file that originally 
looked like:


 $ORIGIN cityname.or.us
 @  SOA   ns1.tigertech.net. a.tigertech.net. ( 1 2 3 4 5 )
 @  MX 0  mx.tigertech.net.
 @  A 192.0.2.44
 @  (SPF and DKIM records omitted for brevity)

This works for mail sent from "addr...@cityname.or.us".

After a while, the customer decided they also wanted to send mail from 
addresses like "addr...@ci.cityname.or.us". So we added the "ci" host to 
the existing zone file:


 $ORIGIN cityname.or.us
 @   SOA   ns1.tigertech.net. a.tigertech.net. ( 1 2 3 4 5 )
 @   MX 0  mx.tigertech.net.
 @   A 192.0.2.44
 @   (SPF and DKIM records omitted for brevity)
 ci  MX 0  mx.tigertech.net.
 ci  A 192.0.2.44
 ci  (SPF and DKIM records omitted for brevity)

This also worked fine until recently. But now, messages sent from 
"addr...@ci.cityname.or.us" to AOL or Yahoo get deferred, and eventually 
rejected, with the error above: AOL/Yahoo wants an SOA record to exist 
for "ci.cityname.or.us".


This is new behavior; our logs show the first occurrence of this error 
on April 19, and the first mention of it I can find on the Internet is 
Steve Atkins' Word to the Wise in June: 
.


This is not trivial to fix from a DNS standpoint. You can't just add a 
second SOA record to the zone; the only solution is to split it into two 
separate zones, like this:


First zone:

 $ORIGIN cityname.or.us
 @   SOA   ns1.tigertech.net. a.tigertech.net. ( 1 2 3 4 5 )
 @   MX 0  mx.tigertech.net.
 @   A 192.0.2.44
 @   (SPF and DKIM records omitted for brevity)

Second zone:

 $ORIGIN ci.cityname.or.us
 @   SOA   ns1.tigertech.net. a.tigertech.net. ( 1 2 3 4 5 )
 @   MX 0  mx.tigertech.net.
 @   A 192.0.2.44
 @   (SPF and DKIM records omitted for brevity)

However, many automatic DNS management systems will not support 
splitting a "domain name" into two zones in this manner.


--
Robert L Mathews
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop