On Fri, 14 May 2004, Douglas Otis wrote:
Here is an early link to a draft submitted to the IETF utilizing the DNS
SRV record to publish authorized clients for any protocol including
SMTP. This draft also suggests the label for this SRV record can be
used to access a TXT record for error reporting information. This was
to provide a foundation for a solution independent of how the
information is used. This takes advantage of existing DNS listing and
reporting features while not creating a record possibly confused as
pointing to an SMTP server.
http://www.mail-abuse.com/public/draft-dougotis-SRV-CAA-00.txt
Our name server was modified recently so it may take some time to access
to this link. If so, try-
http://204.152.185.196/public/draft-dougotis-SRV-CAA-00.txt
This is way close to one of the things I tried for possible in-addr
authorization records, I posted about that today in the morning at ASRG:
https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg10102.html
There is no mention in above post about SRV (except in passive reference),
but for those interested here are more things I tried:
$ nslookup -query=ANY -silent _sa._smtp._tcp.5.192.151.216.in-addr.arpa
_sa._smtp._tcp.5.192.151.216.in-addr.arpa service = 1 5 25 *.elan.net.
(And for more fun experimental records you try lookup on 216.151.192.6)
In any case the problems with the above draft for direct domain srv is:
1. It specifies that these SRV are to be used to specify "authorized clients"
but that may not be exactly what you had in mind for smtp. For
example when my server connects to yours, my server is an SMTP client
of your server, but it has no relationship with it at all, so in this
kind of context authorized clients are only ips of your local lan.
What you probably wanted is to specify ips that are authorized to use
your domain as part of SMTP session, in a way you can say they are
client of the specified domain, but not directly in service manner.
And obviously its also not clear how these ips are to be used, i.e.
are you specifying what is authorized for EHLO, for mail-from?
2. The draft specifies that each SRV record would point to some name
which should in itself be futher queries to get ip addresses.
This works fine for couple ips, but it does not work very well
when you want to specify address-ranges. For that scenario, may I
suggest, something from my example above.
So instead of having:
_foobar._tcp_c SRV 0 0 0 fred.example.com.
SRV 0 0 0 sam.example.com.
fred A 172.30.79.11
sam A 172.30.79.12
You would have:
_foobar._tcp_c SRV 0 0 0 11.79.30.172.IN-ADDR.ARPA.
SRV 0 0 0 12.79.30.172.IN-ADDR.ARPA.
And to specify ip range you could enter:
_foobar._tcp_c SRV 0 0 0 *.79.30.172.IN-ADDR.ARPA.
Otherwise I really do like this draft and how detailed it is and describes
concept well, etc. Obviously it has the implementation problem that not
all DNS servers and DNS resolvers support SRV right now (which is the
reason for ASRG example I decided to use plain PTR) but this will change
in the future hopefully.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net