At 10:23 PM 6/25/2005 -0400, Mike Pinkerton wrote:
On 25 Jun 2005, at 10:37, David MacQuigg wrote:
Seems like the fundamental requirements for an ideal authentication
record are:
1) Fit well within one 512-byte DNS packet, including some margin for
later expansion of other sections of that record.
2) Accommodate any reasonable number of IP addresses in a multi-homed
host setup.
3) Maximize the efficiency of DNS caching by encouraging aggregation of
IP addresses into one record.
4) Avoid problems with unexpected variations in the response to a query,
problems like incomplete record sets.
5) Avoid the temptation of including hosts outside the direct and
immediate control of the sender.
6) Avoid opportunities for abuse, especially anything involving DNS.
How about allowing one CIDR block?
</lurk>
Dave, how would a CIDR block help with a multi-homed host, or are you
trying to address a different issue with that suggestion?
Sorry for the confusion. I should have said - How about allowing one range
of IP addresses? That range could be specified using CIDR notation. For
example, a block of 8 addresses could be written as "216.183.171.192/29".
CIDR notation has the advantage that it is widely used, so there might be
less resistance from people who really don't want to provide any
authentication records at all. From a purely technical perspective, we
could invent a syntax which is more flexible and more compact. Say you
wanted to authorize 9 IPs, in a range not starting on a CIDR
boundary. That could be done with a base64 syntax like "9,G+vW7", or
perhaps a little more readable in hex "9,A38D470B".
If I understand John's comment, this would require (ab)use of a TXT
record. I understand that some DNS folks don't want TXT records re-used
for new applications, but since CSV is doing that anyway, I don't
understand the objection here.
If you are trying to address another issue with your CIDR suggestion, is
there any reason that a single host's HELO would need to be associated
with multiple A records other than (1) multi-homing or (2) using a domain
name rather than a host name for a HELO?
The only issues I was trying to address were the six above. I could add
one more:
7) Easy setup by mail system admins not familiar with DNS.
Think of some overworked guy who spends all day answering help desk calls
at a small ISP. One day he has to deal with a new problem - some
"authentication thingy" that is causing his outgoing mail to be rejected.
One last comment on syntax and record complexity: Think what will happen
if we ever have a consolidated DNS record including domain ratings, data
from other authentication methods, etc. CSV could have a significant
advantage over other authentication methods.
--
Dave
************************************************************ *
* David MacQuigg, PhD email: david_macquigg at yahoo.com * *
* IC Design Engineer phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. Tucson, Arizona 85710 *
************************************************************ *