Some time in the past, someone wrote:
On Wednesday, April 16, 2003, at 04:20 PM, Hadmut Danisch wrote:
btw, the second version of the RMX draft ist available
at
http://www.ietf.org/internet-drafts/draft-danisch-dns-rr-smtp-01.txt
Perhaps I'm missing it, but I still don't see a solution to the
problem of "needing more RMX records than can safely fit inside a
UDP response packet".
While I don't like the idea of trying to use IP addresses as
authentication tokens, and I have my doubts about the
usefulness of sender authentication period (as already mentioned,
forwarding, and mailing lists break this), IF you're going
to do it, why not do it in a less intrusive way that also
deals with the problem of too many RMX records than can
safely fit in a UDP response packet?
Recognize that the goal for the receiver isn't to find all the
valid IP's for a domain, but rather just the one they are receiving
email from. To answer the question "is IP a.b.c.d an authorized
IP for example.com?", the receiver could check
d.c.b.a.rmx.example.com.
This /could/ be a new record, but it's better IMO for it to be like
the current DNSBLs and look for an A record, with the value
returned being well defined (unlike the current DNSBLs).
If you approach it that way, then it's probably better to
carve off a long name and make rmx a lower-level designator so as
to preserve future expansion possibilities. I.e.
lookup d.c.b.a.rmx.dns-based-query.example.com
A records (or any other already existing DNS record) are preferred
because old versions of some software will actually crash when
encountering unknown RRs. In particular, BIND used to do this.
(Yes, I know that everyone is /supposed/ to upgrade BIND,
but it's unreasonable to expect that everyone will.)
This would require that anyone who wanted to take advantage of this
update their DNS servers, but it would have no impact on those who
don't. For those that can't, and to alleviate the chicken and egg
problem, one could set up a server that also answered such queries.
For example, after checking d.c.b.a.rmx.dns-based-query.example.com
and getting no response, you could check
d.c.b.a.rmx.dns-based-query.example.com.second-query.nh.bz or any
other server that was willing to host such a list.
Scott Nelson <scott(_at_)spamwolf(_dot_)com>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg