At 02:30 PM 4/6/2005 -0700, Matthew Elvey wrote:
On 4/4/05 4:29 PM, David MacQuigg sent forth electrons to convey:
At 09:30 AM 4/4/2005 -0700, Doug Otis wrote:
What I'm looking for is an optimum that has the safety of CSV and just a
few of the features of SPF. The ability to authorize hundreds of servers
in a domain, using one cacheable DNS record, seems like a feature that
CSV could use.
In the big scheme of things, this ability is not appropriate if you
consider: What fraction of the time it takes to administer* a mail server
(over the course of one year, that's one of hundreds of servers in a
domain) would it take to manage that mail server's CSA record? Even if the
A records don't already exist, I'd say less than 1%. So the maintenance
overhead is trivial. Placing a trivial administrative burden on senders
is not inappropriate. Senders shoulder the costs of snail mail, and that's
appropriate. Anyone who doesn't have the time to manage the CSA records
doesn't have the time to manage* the server either.
*including hardware, software, connectivity, security, support and (last
but perhaps not least) abuse issues.
I agree the burden of setting up these DNS records is a small fraction of
the effort to properly run a Public Mail Server. In the end it won't
matter, but it might affect the initial adoption rate. SPF made a big
effort to make things easy, and they got a burst of initial adoption.
As for the DNS overhead: CSV will reduce the burden imposed (on the DNS
in particular and the Internet in general) by current anti-spam
techniques, far outweighing any add'l costs it imposes.
See my response to John Leslie on the issue of DNS loading. Looks like a
properly set up SPF record beats CSV on effectiveness of DNS record caching.
I'm not convinced that your suggested change wouldn't be more of a bug
than a feature. BTW, did someone calculate how many IPv4 addresses a
single CSA query 512B UDP response can (indirectly - via add'l info)
authorize, best case? It's around 25 in a typical case; which is quite a
few. (Not that multiple records and failover to TCP aren't both options,
with which there's no limit!)
The "one-query" response I have in mind would put the entire authentication
information for a large ISP in one 512-byte packet, including both IP and
signature authentication methods. This packet would be cacheable for days,
and its cache value :>) would be high, because you will get a lot of emails
from that ISP that can be authenticated from the same record.
Here is an example of a 175-byte authentication record for a large, complex
domain, with many subdomains and thousands of servers all over the
USA. This domain provides 2 authentication methods, CSV2 and DK3.
meth=CSV2,DK3
CSV2:ip=170(Kapi2RPMcR1CxEJdXOkLCFEC),4(MQDTO0fzuShRvL8q0m5sitIH3)
DK3:dk=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5
o6lMIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7EX
zVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB
In the record above, we see that the domain has organized its public mail
servers into 6 blocks of 170 IPs each and 5 blocks of 4 IPs each. The
small blocks might be regional offices around the country with one mail
server and a backup. The 6 large blocks might be racks of servers for
outgoing customer emails.
The blocks of 170 IPs can be as large as 256 without making the encoded
strings any longer, but this domain owner chose to exclude the last part of
each IP block. This allows those excluded IPs to be allocated to customers
without risking the domain's reputation.
The administrative burden consists of updating the DomainKey once a week,
and occasionally moving one of the IP blocks when an office is closed or
moved to a different part of IP space. This is done with a friendly setup
tool, not by editing the strings above.
There is *no* administrative burden with all the day-to-day movement of
servers within the blocks, or even between blocks (moving a bunch of
servers between existing offices in Austin and Albuquerque, for
example). There are no DNS records for individual servers.
It seems to me... that [with] CSV ... you can't set up just one simple
record to authorize all the servers in a domain.
Actually, you can, but it's probably better do authorize them in groups
(or individually). Can you tell us what big domain(s) you're involved
with, if any, or is this a hypothetical?
I have no connection with any company in the email business. I'm just an
engineer who enjoys venturing into new territory. The example above was
based on a real setup, but so far it is hypothetical. For the actual setup
go to mxtoolbox.com and look at the current SPF record for rr.com.
SPF is heading this direction with their latest "mask" feature. Then they
will actually have lower DNS loads than CSV !! It will take them years to
get rid of all the early "baggage" however. CSV could do the above, coming
at it from a much better direction, without the baggage.
--
Dave
************************************************************ *
* David MacQuigg, PhD email: david_macquigg at yahoo.com * *
* IC Design Engineer phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. Tucson, Arizona 85710 *
************************************************************ *