On 4/4/05 4:29 PM, David MacQuigg sent forth electrons to convey:
At 09:30 AM 4/4/2005 -0700, Doug Otis wrote:
On Mon, 2005-04-04 at 09:59 -0700, David MacQuigg wrote:
Hello, I just came from the SPF camp. Please don't shoot me. :>)
I'm not
an SPF advocate. I'm an electronic design engineer hoping to find
some way
to help solve the problems with email authentication.
I really like the way CSV avoids all the complexity in SPF. I'm
puzzled,
however, as to why you chose SRV records instead of a free-format
TXT. As
Along with other things mentioned: DNS gurus frowned upon the use of
TXT. In the DNS, IPs are normally represented as ~4B, not ~20B.
I understand it, this limits you to authorizing just one or a few
servers.
Actually, that's not the case. If the previous responses didn't make
that clear, try implementing it for your domain(s) and you'll see.
I don't see how CSV avoids entering IP addresses, or how it simplifies
maintenance, especially for a large domain with hundreds of public
mail servers. Don't you need both an SRV record (name) and an A
record (IP address) for each one of those servers? Fundamentally, you
always have to make an association between a name and an address.
Again, CSV does not require you enter IP addresses. General purpose
mail servers usually have those IP addresses in the DNS, because most
receiving mail servers today require each sending mail server to have
matching forward and reverse DNS records, and its hostname usually
matches its EHLO. So the records usually already exist.
Would it not be simpler to have one record list all the mail-serving
IP blocks for an entire domain?
No, it would require a more complex change than implementing CSV as is, IMO.
The use of the SRV record avoids complexity by keeping within the
designed scale of DNS by attempting to only resolve the client
associated with the HELO, rather than answer a much more expansive (and
impossible) question regarding all the possible clients that send a
specific mailbox-domain.
It seems like the choice now is between CSV with a large number of
single-server records, and SPF with far fewer records but the
potential for abuse of its whiz-bang features.
Nope. Again, if the previous responses didn't make that clear, try
implementing it for your domain(s) and you'll see.
What I'm looking for is an optimum that has the safety of CSV and
just a few of the features of SPF. The ability to authorize hundreds
of servers in a domain, using one cacheable DNS record, seems like a
feature that CSV could use.
In the big scheme of things, this ability is not appropriate if you
consider: What fraction of the time it takes to administer* a mail
server (over the course of one year, that's one of hundreds of servers
in a domain) would it take to manage that mail server's CSA record? Even
if the A records don't already exist, I'd say less than 1%. So the
maintenance overhead is trivial. Placing a trivial administrative
burden on senders is not inappropriate. Senders shoulder the costs of
snail mail, and that's appropriate. Anyone who doesn't have the time to
manage the CSA records doesn't have the time to manage* the server either.
*including hardware, software, connectivity, security, support and (last
but perhaps not least) abuse issues.
As for the DNS overhead: CSV will reduce the burden imposed (on the DNS
in particular and the Internet in general) by current anti-spam
techniques, far outweighing any add'l costs it imposes.
I'm not convinced that your suggested change wouldn't be more of a bug
than a feature. BTW, did someone calculate how many IPv4 addresses a
single CSA query 512B UDP response can (indirectly - via add'l info)
authorize, best case? It's around 25 in a typical case; which is quite
a few. (Not that multiple records and failover to TCP aren't both
options, with which there's no limit!)
It would be easier on DNS than digging down six levels to query every
server...
Huh?
It seems to me... that [with] CSV ... you can't set up just one simple
record to authorize all the servers in a domain.
Actually, you can, but it's probably better do authorize them in groups
(or individually). Can you tell us what big domain(s) you're involved
with, if any, or is this a hypothetical?