On September 8, 2005 at 17:57, John Leslie wrote:
If I have an SMTP client called smtp.example.com that I want
to authorize under CSA, I should have the following records in
my zone file:
_client._smtp.smtp.example.com. IN SRV 1 2 1 smtp.example.com.
smtp.example.com. IN A 172.30.10.33
This would say that; but it also says that all subdomains of
smtp.example.com will have CSA records. If you don't mean to say
anything about subdomains, you would use "SRV 1 2 0". (This is
described in detail in documents at http://mipassoc.org/csv/ ).
Examples would help. It appears that in the avoid example, the
Port of 1 is mainly for use when an EHLO domain is a sub-domain of
smtp.example.com, but no SRV record is given for the sub-domain.
I.e. If EHLO domain is "smtp.example.com", the SMTP server
is not expected to "cache" the Port value in case of an EHLO domain
is provided in the future that is a sub-domain of smtp.example.com,
for example
EHLO sub.smtp.example.com
What the SMTP server will do is first query for an SRV for
_client._smtp.sub.smtp.example.com. If not present, it will then
do the "walk" by querying _client._smtp.smtp.example.com and
checking the Port setting for CSA records assertion.
In this case, the _client._smtp.smtp.example.com is serving
"double duty" by defining authorization for smtp.example.com and
for asserting CSA policy for all sub-domains.
Side question: I still am not sure how an SMTP server is to determine
when it hits a top-level domain? Are top-level domains always the
last component of a domain name? If so, will domains like com.au
and tx.us receive bogus queries (assuming CSV becomes widespread)?
I'm trying to understand the applicable uses of a Weight summed value
of 3. What are the cases where authorization is allowed, but target
must not be used for authentication?
There are known cases where the number of actual IP addresses
assigned to a domain-name exceeds what can be returned _and_ the
domain managers choose to use a non-standard DNS server which returns
an incomplete list. Although the design team is strongly of the opinion
that such domain names should not be used as EHLO strings, we do not
choose to try to enforce that belief. Thus there must be an escape
hatch. There may be other cases as well...
But then how does the "escape hatch" work in this case?
If a Weight 3 is given, must the SMTP server do an address lookup
on the EHLO domain to determine authenticity? It seems from your
later text, the server must not. What use is there is specifying
authorization when authentication cannot be established?
To make the specification complete, I think the Weight 3 use case(s)
should be described and/or the reasoning behind the existence of
Weight 3.
--ewh
_______________________________________________
ietf-clear mailing list
ietf-clear(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/ietf-clear