ietf-mxcomp
[Top] [All Lists]

Re: A 30% solution

2004-05-13 10:17:21

On 5/13/04 at 10:25 AM -0500, wayne wrote:

Because many DNS servers will return records in a round robin order and because that order depends on other queries made by other systems, an individual system can't depend on the order of the records in a RR set.

As far as I understand (and maybe I'm mistaken), returning records in a round robin order is completely configurable for the DNS server. Indeed, sending things in different order every time is harder work for the server than sending them in the same order. If a DNS server is going to serve up MARID records in a random order, it gets what it pays for.

I think it would be reasonable to say that an IP address appearing as both legitimate and illegitimate is a "configuration error" for all intents and purposes, and short-circuiting is a reasonable optimization.

Yes, but then this configuration problem of an IP address being in both sets will show up only some of the time, making debugging much harder.

It will only show up some of the time if the server is returning the records in random order, which again gets you exactly what you ask for.

IIRC, Dave Crocker is right. Only two-level expressions of ANDs of ORed variables or ORs of ANDed variables (and the equivalent UNION/INTERSECTION set notation) are needed to express anything.

Actually, you could do everything with NANDs, but we are straying a bit here.

Say I want to express the idea that only the IP addresses 1.2.3.4 and 5.6.7.8 are the only legitimate senders of email claiming to be from example.com. The "legitimate set" (L) is easy to define, that needs two MARID records.

(Slipping into syntax...) or a single MARID record point to a domain name with the two addresses.

The "illegitimate set" (I), however, needs to define all IP addresses other than those two. The (implied) syntax that Pete proposes makes expressing this tedious since there is no way to give a complementary set.

I had assumed ranges for here.

Pete didn't specify whether the IP range data would be in the form of a.b.c.d-w.x.y.z, or in CIDR notation of h.i.j.k/nn.

Now we're really getting into syntax....

The latter is shorter most of the time, but since 1.2.3.4 isn't on a CIDR boundary, you would have to create even more MARID records to specify set I (illegitimate IP addresses).

Or the MARID records would have to hold multiple ranges. Or the domain name pointed to by the MARID record would have to hold multiple address ranges. Or......

There are lots of potential ways to do this. And though I agree that we may at some point need to worry about whether the semantics we choose are expressible in the syntax of DNS, I'm not worried at this point. (Perhaps someone who is more DNS-clued than I will disuade me.)

they may well want to just say "out MTAs" == "in MTAs", but that isn't allowed under Pete's proposal.

True.

So, example.com has:

example.com.  MX  smtp.example.com.
smtp.example.com.  A  1.2.3.4
example.com.  MX  secondary.example.net.

and under the control of example.net:
secondary.example.net. A 5.6.7.8

Now, even if you add the complement-set operator, you can't easily express the set of illegitimate IP address since !smtp.example.com includes the IP address of secondary.example.net and vice versa. More over, example.com may have no idea when example.net changes the IP address for secondary.example.net.

This I don't understand. Why can't example.com list secondary.example.net in its MARID record? It was perfectly capable of listing it in its MX.

pr
--
Pete Resnick <http://www.qualcomm.com/~presnick/>
QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102