On 14 Jan 2018, at 11:07 (-0500), Per Jessen wrote:
Chris wrote:
I started seeing this yesterday evening -
https://pastebin.com/Q01t63uf AFAICT it's happening on every message
that is processed by SA. This is:
spamassassin -V
SpamAssassin version 3.4.1
running on Perl version 5.22.1
Any ideas?
AFAIK, bind does not accept NS records with CNAMEs, only A or AAAA
records.
This is not a BIND issue, aside from the (optional) logging of the bad
NS record.
The specification of DNS (as precisely clarified by
https://tools.ietf.org/html/rfc2181#section-10.3) does not allow NS
names which are resolved via a CNAME record. Like MX records, NS records
often exist in order to jump a resolution path across administrative
boundaries, so they are required to point to the primary (i.e.
"canonical") name of the target to prevent uncontrolled redirection.
It looks like spamhaus updated their nameserver config and
added cloudflare by way of CNAME.
Which is a rather surprising error. Both organizations should know
better.
Thankfully, all the other authoritative NS targets have A and/or AAAA
records.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole