On 5/13/04 at 10:25 AM -0500, wayne wrote:
Because many DNS servers will return records in a round robin order
and because that order depends on other queries made by other
systems, an individual system can't depend on the order of the
records in a RR set.
As far as I understand (and maybe I'm mistaken), returning records in
a round robin order is completely configurable for the DNS server.
Indeed, sending things in different order every time is harder work
for the server than sending them in the same order. If a DNS server
is going to serve up MARID records in a random order, it gets what it
pays for.
I think it would be reasonable to say that an IP address appearing
as both legitimate and illegitimate is a "configuration error" for
all intents and purposes, and short-circuiting is a reasonable
optimization.
Yes, but then this configuration problem of an IP address being in
both sets will show up only some of the time, making debugging much
harder.
It will only show up some of the time if the server is returning the
records in random order, which again gets you exactly what you ask
for.
IIRC, Dave Crocker is right. Only two-level expressions of ANDs of
ORed variables or ORs of ANDed variables (and the equivalent
UNION/INTERSECTION set notation) are needed to express anything.
Actually, you could do everything with NANDs, but we are straying a bit here.
Say I want to express the idea that only the IP addresses 1.2.3.4
and 5.6.7.8 are the only legitimate senders of email claiming to be
from example.com. The "legitimate set" (L) is easy to define, that
needs two MARID records.
(Slipping into syntax...) or a single MARID record point to a domain
name with the two addresses.
The "illegitimate set" (I), however, needs to define all IP
addresses other than those two. The (implied) syntax that Pete
proposes makes expressing this tedious since there is no way to give
a complementary set.
I had assumed ranges for here.
Pete didn't specify whether the IP range data would be in the form
of a.b.c.d-w.x.y.z, or in CIDR notation of h.i.j.k/nn.
Now we're really getting into syntax....
The latter is shorter most of the time, but since 1.2.3.4 isn't on a
CIDR boundary, you would have to create even more MARID records to
specify set I (illegitimate IP addresses).
Or the MARID records would have to hold multiple ranges. Or the
domain name pointed to by the MARID record would have to hold
multiple address ranges. Or......
There are lots of potential ways to do this. And though I agree that
we may at some point need to worry about whether the semantics we
choose are expressible in the syntax of DNS, I'm not worried at this
point. (Perhaps someone who is more DNS-clued than I will disuade me.)
they may well want to just say "out MTAs" == "in MTAs", but that
isn't allowed under Pete's proposal.
True.
So, example.com has:
example.com. MX smtp.example.com.
smtp.example.com. A 1.2.3.4
example.com. MX secondary.example.net.
and under the control of example.net:
secondary.example.net. A 5.6.7.8
Now, even if you add the complement-set operator, you can't easily
express the set of illegitimate IP address since !smtp.example.com
includes the IP address of secondary.example.net and vice versa.
More over, example.com may have no idea when example.net changes the
IP address for secondary.example.net.
This I don't understand. Why can't example.com list
secondary.example.net in its MARID record? It was perfectly capable
of listing it in its MX.
pr
--
Pete Resnick <http://www.qualcomm.com/~presnick/>
QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102