Hi,
On Sun, Mar 02, 2003 at 07:18:05PM -0500, Daniel Feenberg wrote:
If respected by receiving MTAs, the proposal would give the owner of the
DNS space in which a host lives control over which servers could originate
SMTP traffic.
No. To be more precise:
The proposal would give the owner of the domain which the
senders e-mail address belongs to control over which servers could originate
SMTP traffic.
The proposal quitly assumes that the owner of a domain (i. e. the
one who is able to define zone entries) is the same who is
allowed to decide who may use this domain in a senders address.
Alternatively, the owner of the IP address
range could be given this authority.
No, this would give the key in the attackers hand.
Since domains and not IP addresses are used in E-Mail addresses
(at this very moment you are reading a message from
hadmut(_at_)danisch(_dot_)de,
not from hadmut(_at_)213(_dot_)133(_dot_)101(_dot_)23), authorization (at least
of the
right hand side of the address) is a matter of domain, not IP address.
The commercial spammers do have control over their own IP address
range. If authority was given to the owner of the IP address, they
could give themselves any authorization they want to have.
E.g. they simply declare themselves as authorized to use
@hotmail.com, @yahoo.com, @nber.org...
That's the opposite of what you want to have.
Why this is superior to Adam Filip's proposal (
http://groups.google.com/groups?q=vixie+mx+records+spam&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=3E18B0B3.43939A35%40Andrzej.Adam.Filip&rnum=10
) to overload the existing MX record? That proposal would also vest
authority in the owner of the domain name. It would seem that requiring
modifications to the DNS system is a substantial additional obstacle to
adoption. Do you have reason to believe that DNS software authors/vendors
would cooperate?
First, MX records are not meant to be used for that. If you want
to keep the Internet working, use things in the way you are supposed
to do. Using them in the reverse way violates the definition of MX.
Second, it doesn't work and it is too much overhead, because there
is one indirection step missing. Assume that I want to authorize
the relays of my hoster rackland and another set of relays, e.g.
by an employer or some ISP for originating mails from danisch.de.
If I had to do this in the MX way, I had a lot of trouble figuring
out which relay machines exist and changing it every time the
providers do change it. With my proposal, the RMX record for
danisch.de would simply give permission to "relays.rackland.de" and
"relays.employer.com", where the admins of rackland and employer
can define the APL records for these domains reasonably. If the IP
address changes or new relays are added, it just takes a single change
instead of modifications of all domains hosted.
Third, DNS software is ready to be extended. The most important
software is bind9, and this is available as source. So I can (and I
will as soon as APL records are available) provide a patch on my
homepage and pass it to the upstream maintainer. As soon as the
record type has become a standard, it will be incorporated into the
main distribution. Adding a new record type to a DNS server is not
a big deal. And none of the commercial software vendors wants to
live with a DNS server which doesn't support all record types.
No, the DNS server software is not the problem. It will be more
difficult to convince the MTA software vendors. But that's the
same problem as with the MX proposal.
Does the RMX record for relays.danisch.de include all the valid sources of
SMTP traffic for subdomain.danisch.de, or does the receiving server
recurse down to relays.subdomain.danisch.de for that list?
Well, it should work just like normal DNS.
There would be no RMX record for "relays.danisch.de".
There would be a RMX record for "danisch.de", which points
to relays.rackland.de, which is an APL record containing a
list of the relay machines.
For subdomain.danisch.de there must be another RMX record, as
with MX records. But since DNS supports a very simple form of
wildcards, a single entry *.danisch.de could cover all one
level subdomains of danisch.de.
But I agree the next question is what to do with
sub.domain.danisch.de . Maybe it would be wise to require the
receiving MTA to climb up the domain tree until something is
found.
Would you expect operators to reject mail without a valid RMX
record?
I would neither expect them to reject it nor to accept it.
It's just a matter of their policy.
If a mail comes without any RMX record at all, then this
is a statement like "We don't have a authorization policy".
It's your policy whether you accept this message or not.
If a mail comes with a large RMX record, e.g. 0.0.0.0/0,
thus authorizing the whole world, it's your decision whether
you want to have that mail or not.
If a mail comes with a good RMX record, but from an
IP address not covered by this record, again, it depends on
your policy whether to accept or reject that mail.
Your policy could even depend on the recipients address.
For one recipient you prefer a more tight policy, another
recipient is more relaxed.
Actually, with my proposal I do not want to block any e-mail.
I want to give the receiver some simple and (at least to
a certain level) reliable information, on which his individual
decision whether to accept or deny the message can be based.
Don't understand RMX records as a message filter. It's the
domain owners statement about the domains security policy.
It's the receiver's business to block or accept a message.
You're still free to send any message you want to send, but
I become free to not take it.
regards
Hadmut
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg