> > > > Sendmail uses ANY first though and that's on many many servers. > > Sendmail has not made ANY queries for many years, though I believe it > did in the very dim and distant past. > Fair enough, I'd read that was the case when troubleshooting a problem that turned out to be service.switch causing rather unexpected behaviour (ignoring my intention of removing a dns query and also skipping the mx, I guess the web page was older than I thought and I never needed to check the source code, thankfully) > However, qmail *does* make ANY queries in order to canonicalize mail > domains in the envelopes of outgoing messages, i.e. to replace domains > that are CNAME owner names with the corresponding CNAME target names. > This behaviour is buggy in several ways. I believe djb knew this and only did this to work around bugs in Bind? I think it was this problem that was why he may even have put in alternative commented out code. >Firstly, the current SMTP > specification does not require domains to be canonicalized. Secondly, > qmail should use an MX query not an ANY query, since it is looking up a > mail domain not performing DNS diagnostics. Thirdly, it uses a 512 byte > buffer which is too small, and it has no provision for dealing with > truncated replies. A modern qmail like Spamcontrol for example is patched to be compliant with the new RFCs and larger replies. So hopefully there aren't any servers still going and doing this any more then. An old qmail might still be secure but incompliant with some modern systems but an old sendmail would be a zombie on acid.