David MacQuigg <dmquigg-clear(_at_)yahoo(_dot_)com> wrote:
If I'm setting up a rack of machines to be used for nothing but outgoing
mail, why do these machines need to have *any* DNS records? Sorry if this
is a dumb question, my understanding of DNS still has gaps. Even if we
don't count the A records as part of the required setup, we still need one
SRV record per machine.
CSV needs one SRV record per HELO domain-name. (We in fact recommend
each machine have its own HELO string.) This is intended as the level of
granularity of CSV -- which we consider a benefit, in that problems on
one outgoing MTA need not compromise the reputation of any other MTAs
Public mail servers should have static addresses.
In fact, most mail servers _do_ change IP addresses when the upstream
provider changes. We consider that to be often enough to worry about the
possibility of records getting out of sync.
This might save some time for a small domain with one server having both MX
and SRV records, but the scenario I'm thinking of would be racks of servers
dedicated to outgoing mail only. I would rather not have to change any
individual address records at all.
I may be missing your point. If the IP address of a MTA changes, you're
going to have to change _something_ in DNS. CSV adds nothing that needs
to change when the assigned IP address changes.
If, OTOH, you mean you'd rather not have to publish a SRV record in
the first place for every MTA, we're talking the same issue of nuisance
versus granularity. We consider the nuisance small, and the granularity
valuable.
How do you find the authentication records without digging when the HELO
name is server6.rack5.room4.bldg3.company2.com ???
You do a single DNS query for "server6.rack5.room4.bldg3.company2.com."
(In the absence of anything cached, this goes to the root servers and
gets nameservers for "company2.com", and a the query is automatically
repeated to one of those, which most likely will give the answer. Unless
"company2.com" _both_ delegates a "bldg3" subdomain _and_ fails to act
as secondary for it, there's no reason for more DNS traffic.)
One query to company2.com should get all authentication records for the
entire company.
But how would you know to query for "company2.com"? SPF knows because
it got it from an email address. CSV can't know, because it only works
on the HELO string. (Did I mention the benefits of granularity?)
Let's not make the mistake of assuming that *everything* in SPF is bad,
because it has a few unsafe features. In fact, the good features can
actually *reduce* the DNS load much lower that what I understand CVS will
generate.
This may actually be possible -- in a world where all MTAs are managed
by folks both clueful and considerate. Alas, that is not the world we
live in. :^(
--
John Leslie <john(_at_)jlc(_dot_)net>