Front matter: I'm posting this as just-another-bozo-on-this-bus, not
as this group's Area Advisor.
I've just caught back up on the mailing list, and one of the concerns
I have reading it is that some of the interconnections here seem
to have been lost. This may well be because folks here are so much
more immersed in the work that they are elided for brevity or
shortened past my limited recognition, but it concerns me that we may
be eliding things that might help guide our choices.
To quote the charter for a moment:
It would be useful for those maintaining domains and networks
to be able to specify that individual hosts or nodes are authorized
to act as MTAs for messages sent from those domains or networks.
This working group will develop a DNS-based mechanism for
storing and distributing information associated with that
authorization.
My reading of this (again, as bozo-on-the-bus, not AD), is that our aim
is to describe a mechanism that allows an administrative entity
to enter data into the DNS that says "here is the set of hosts/nodes
which I use as MTAs when I talk to the outside world".
There is an immediate "relationship" question here. Are we talking about
the domain "employing" those hosts or the domain being "responsible for"
those hosts? Note that an MX record lists the hosts a domain "employs"
as mail exchangers and that it has been common for a different domain
to be "responsible for" at least one of the MX hosts at some points
in the Internet's
history.
So my question one: is it valuable for a domain to be able to list the set
of hosts it "employs" as outbound MTAs?
My question two: is it valuable for a domain to be able to list the set of
hosts it is "responsible for" as outbound MTAs?
They may well be the same, of course, but what each statement means is
different--one means "I have privileged access to this box; I can shut it
down, upgrade the software, touch the queues, or swap it out" where the other
means "My administrative domain uses this box to send mail to the world".
And they may be different; in some outsourcing cases, there is no expectation
that the organization employing the box has privileged access.
Let's imagine for a second that we've decided we need both a record
for the "responsible for" relationship and for the "employed by"
relationship. Cool. Now we need to discuss how someone
who wants to check that an MTA is listed in the appropriate sets
associates some part of the SMTP exchange with the domains
that are "responsible for" the host and which "employ" it. (NB: *sets*)
If there are parts of the SMTP exchange that allow us to
make those associations, then we need to make clear 1) what
part is being examined 2) which relationship it's associated
with 3) the DNS query you use to check the set (or expression
or whatever) listing the hosts in that domain with that relationship.
It then becomes a matter of local policy to determine whether
the check is applied (or which checks are applied) and what the
result is when the checked MTA isn't in the set. You might check
a different set if multiples are defined; you might not. That's
a local policy.
If there were easy, unambiguous parts of the SMTP exchange for each
of these relationships for all potential mail flows our lives would be easier;
there aren't. I believe there is a strong need for work to define
how, for example, you understand "employed by" in a mailing list
or forwarded context. That does not to me, personally, imply that
it isn't possible; it may mean to others, however, that there is more
bang for the buck in defining "responsible for" (which may be
less ambiguous). But we have to be very clear that we cannot
assume "responsible for"="employs" in all cases. We have to know
what relationship we're trying to discern as we look at the
different parts of the mail exchange to know how well the pieces
we've got match the relationships we want to bring to light.
I do not mean to imply "responsible for" and "employs" are
the only relationships or the critical ones--there may be others.
But I believe
it might help if we start from that perspective.
It also strikes me that there are some folks who are looking at
this from a much more general case and want to understand
which headers it would be useful to *validate* (full stop).
That's a different problem space; s/mime has taken it on,
as has PGPMime. There may well be more useful methods
to be found in that arena (and judging from uptake I hope so), but it is
a different problem space at least as I understand it, because validating
the header content goes beyond describing a relationship
to an administrative domain. At least in my view, it also goes beyond
the kind of check we'd assign to an MTA in the usual mail
flow.
Again, just another-bozo-on-the-bus here, but I do hope folks
will think about what relationships they're trying to bring to
light as they consider what parts of the email exchange will
be examined prior to the DNS query doing the check against
the set.
regards,
Ted Hardie