ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] Re: draft-danisch-dns-rr-smtp-01.txt

2003-04-26 16:02:49
from [Scott Nelson] [Permanent Link] 
Some time in the past, someone wrote:

On Wednesday, April 16, 2003, at 04:20 PM, Hadmut Danisch wrote:

btw, the second version of the RMX draft ist available
at


http://www.ietf.org/internet-drafts/draft-danisch-dns-rr-smtp-01.txt

Perhaps I'm missing it, but I still don't see a solution to the 
problem of "needing more RMX records than can safely fit inside a 
UDP response packet".



While I don't like the idea of trying to use IP addresses as
authentication tokens, and I have my doubts about the 
usefulness of sender authentication period (as already mentioned,
forwarding, and mailing lists break this), IF you're going 
to do it, why not do it in a less intrusive way that also 
deals with the problem of too many RMX records than can 
safely fit in a UDP response packet?

Recognize that the goal for the receiver isn't to find all the 
valid IP's for a domain, but rather just the one they are receiving
email from.  To answer the question "is IP a.b.c.d an authorized 
IP for example.com?", the receiver could check 
d.c.b.a.rmx.example.com.
This /could/ be a new record, but it's better IMO for it to be like 
the current DNSBLs and look for an A record, with the value 
returned being well defined (unlike the current DNSBLs).

If you approach it that way, then it's probably better to
carve off a long name and make rmx a lower-level designator so as
to preserve future expansion possibilities.  I.e.
lookup d.c.b.a.rmx.dns-based-query.example.com

A records (or any other already existing DNS record) are preferred
because old versions of some software will actually crash when 
encountering unknown RRs.  In particular, BIND used to do this.
(Yes, I know that everyone is /supposed/ to upgrade BIND, 
but it's unreasonable to expect that everyone will.)

This would require that anyone who wanted to take advantage of this
update their DNS servers, but it would have no impact on those who
don't.  For those that can't, and to alleviate the chicken and egg
problem, one could set up a server that also answered such queries.
For example, after checking d.c.b.a.rmx.dns-based-query.example.com
and getting no response, you could check 
d.c.b.a.rmx.dns-based-query.example.com.second-query.nh.bz or any
other server that was willing to host such a list.

Scott Nelson <scott(_at_)spamwolf(_dot_)com>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Asrg] ESPC Proposal, Vernon Schryver
Next by Date:  Re: [Asrg] NNTP IS Pull, deal with it, Vernon Schryver
Previous by Thread:  [Asrg] Whitelists, Blacklists, Greylists, and Challenge/Response, waltdnes
Next by Thread:  Re: [Asrg] Re: draft-danisch-dns-rr-smtp-01.txt, Vernon Schryver
Indexes:  [Date] [Thread] [Top] [All Lists]