Dave Crocker <dcrocker(_at_)brandenburg(_dot_)com> wrote:
On Sat, 9 Oct 2004 03:04:02 -0400, John Leslie wrote:
The CSV design did not intend for negative CSA records to be
common. If you do need to discourage the use of wildcard
subdomains, you'd do better to use wildcard DNA PTR records
(suggesting an accreditation service which will report "don't
trust these folks").
Offhand, I think this describes a solution that is, at best
cumbersome. Unfortunately the scenario it is trying to solve is
a reasonable -- and probably even a probable -- one.
Thoughts?
I'm not sure I agree it's reasonable, but it has come up several
times that people want to mark subdomains as "not authorized" --
meaning, I assume, that they want receiving SMTP servers to reject
all email from sending SMTP clients who use a "not authorized"
subdomain for the EHLO string.
The wildcard PTR solution I have suggested is cumbersome, certainly,
but I'm not sure the extra stage (RSSRRS needing to pass on the
negative recommendation) makes it worse than the weirdnesses of
wildcard DNS would.
We certainly _could_ consider writing this as a special-case where
the PTR returns a domain-name value which is defined to mean "the
domain itself recommends rejecting email from this server", and the
RSSRRS (reputation server) could bypass any actual query to the SSCAS
(accreditation server).
Regardless, let us remember that we're talking about a case of
misuse (if not actual forgery) of a subdomain-name which will _not_
be visible to the recipient; and this wouldn't actually give the
sending SMTP server any better chance of delivery than any other
EHLO string which doesn't return a CSV SRV record.
--
John Leslie <john(_at_)jlc(_dot_)net>