I had a most interesting discussion with journalist Brian Livingston this
afternoon in which I explained CSV to him so he can write about it for a
non-technical audience.
One thing that became blindingly clear is that if we want people to take
CSV seriously, we need some hack to say that the rest of a domain doesn't
have any mail clients. That lets domains mark big swaths of their name
space as bad, which would be a significant reason for people to start
looking for CSV records even when there aren't a whole lot of them to
find.
I realize that DNS wildcards are broken and all the alternatives stink,
but given that we're competing with the stupendous awfulness of SPF, it's
not hard to do better than that.
So here's my modest proposal to mutate CSV to do not too awful wildcard
like function:
1) Before (or perhaps in parallel with) the SRV lookup, do an A lookup on
the HELO name.
2) In the weight field of the SRV record, define the 4 bit to mean that
all mail clients in subdomains of this one have explicit records.
So this means that the revised CSA procedure is:
a) look up A or AAAA for the HELO name; if no matching record, CSV fails.
b) look up _client._smtp.name; if found, accept what it says.
c) walk up the tree looking for SRV records at _client._smtp.<prefix>.
If you find a SRV with the 4 bit, the host isn't authorized.
If you get to _client._smtp.tld, stop.
(Walking down from the top would be OK with me, but not so OK that I want
to get into a big fight about it again.)
The point of the A lookup is to prevent DDOS by sending a HELO like
a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.example.com
to force a blizzard of lookups. The A check means that the number of
lookups will never be more than the depth of an actual host, and we all
know that in practice the domain tree is pretty flat.
The disadvantage of the A lookup, beyond the theological issue that RFC
2821 says not to verify the HELO name for reasons that I think have long
faded into irrelevance, is that it forces the HELO namespace to match the
real namespace. There's a few domains, notably hotmail.com, where all the
mail clients HELO as the domain rather than as the actual host name. The
current scheme lets this work by allowing the name in the SRV record be
different, e.g. mailclient.hotmail.com. Validating the HELO name would
force Hotmail clients to HELO as their actual names which wouldn't be very
hard and would be more in the spirit of 2821, but would be a change from
what they do now.
Again, I don't feel all that strongly about the A lookup; the very long
name is an exotic attack, and a DNS cache that caches negative replies
properly shouldn't have too much trouble with it. But I do feel strongly
that we need some way to say "you can ignore the other million hosts in
this domain."
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.