ietf-clear
[Top] [All Lists]

[clear] Comparing CSV and SPF

2005-04-06 12:31:18
On 4/4/05 4:29 PM, David MacQuigg sent forth electrons to convey:

At 09:30 AM 4/4/2005 -0700, Doug Otis wrote:

On Mon, 2005-04-04 at 09:59 -0700, David MacQuigg wrote:
Hello,  I just came from the SPF camp.  Please don't shoot me. :>)  
I'm not
an SPF advocate.  I'm an electronic design engineer hoping to find 
some way
to help solve the problems with email authentication.

I really like the way CSV avoids all the complexity in SPF.  I'm 
puzzled,
however, as to why you chose SRV records instead of a free-format 
TXT.  As

Along with other things mentioned: DNS gurus frowned upon the use of 
TXT.  In the DNS, IPs are normally represented as ~4B, not ~20B.

I understand it, this limits you to authorizing just one or a few
servers.

Actually, that's not the case.  If the previous responses didn't make 
that clear, try implementing it for your domain(s) and you'll see.



I don't see how CSV avoids entering IP addresses, or how it simplifies 
maintenance, especially for a large domain with hundreds of public 
mail servers.  Don't you need both an SRV record (name) and an A 
record (IP address) for each one of those servers?  Fundamentally, you 
always have to make an association between a name and an address.

Again, CSV does not require you enter IP addresses.  General purpose 
mail servers usually have those IP addresses in the DNS, because most 
receiving mail servers today require each sending mail server to have 
matching forward and reverse DNS records, and its hostname usually 
matches its EHLO. So the records usually already exist.


Would it not be simpler to have one record list all the mail-serving 
IP blocks for an entire domain?  

No, it would require a more complex change than implementing CSV as is, IMO.

The use of the SRV record avoids complexity by keeping within the
designed scale of DNS by attempting to only resolve the client
associated with the HELO, rather than answer a much more expansive (and
impossible) question regarding all the possible clients that send a
specific mailbox-domain.


It seems like the choice now is between CSV with a large number of 
single-server records, and SPF with far fewer records but the 
potential for abuse of its whiz-bang features.

Nope. Again, if the previous responses didn't make that clear, try 
implementing it for your domain(s) and you'll see.

  What I'm looking for is an optimum that has the safety of CSV and 
just a few of the features of SPF.  The ability to authorize hundreds 
of servers in a domain, using one cacheable DNS record, seems like a 
feature that CSV could use.

In the big scheme of things, this ability is not appropriate if you 
consider: What fraction of the time it takes to administer* a mail 
server (over the course of one year, that's one of hundreds of servers 
in a domain) would it take to manage that mail server's CSA record? Even 
if the A records don't already exist, I'd say less than 1%.  So the 
maintenance overhead is trivial.  Placing a trivial administrative 
burden on senders is not inappropriate. Senders shoulder the costs of 
snail mail, and that's appropriate. Anyone who doesn't have the time to 
manage the CSA records doesn't have the time to manage* the server either.
*including hardware, software, connectivity, security, support and (last 
but perhaps not least) abuse issues.

As for the DNS overhead:  CSV will reduce the burden imposed (on the DNS 
in particular and the Internet in general) by current anti-spam 
techniques, far outweighing any add'l costs it imposes.

I'm not convinced that your suggested change wouldn't be more of a bug 
than a feature.  BTW, did someone calculate how many IPv4 addresses a 
single CSA query 512B UDP response can (indirectly - via add'l info) 
authorize, best case?  It's around 25 in a typical case; which is quite 
a few.   (Not that multiple records and failover to TCP aren't both 
options, with which there's no limit!)

It would be easier on DNS than digging down six levels to query every 
server...

Huh?

It seems to me... that [with] CSV ... you can't set up just one simple 
record to authorize all the servers in a domain.

Actually, you can, but it's probably better do authorize them in groups 
(or individually).  Can you tell us what big domain(s) you're involved 
with, if any, or is this a hypothetical?
<Prev in Thread] Current Thread [Next in Thread>