The problem with this line of reasoning is that there are many small
businesses with ISPs that refuse to delegate the reverse lookup space.
By using reverse IP lookup, the answer is under the control of the ISP,
not the small business. Aside from the fact that this will result in
wrong answers, it also represents a further power shift from end users
to ISPs, and is a bad idea for that reason.
To add a little concrete by way of an example, I own domain
wegelyon.org. My MTA operates at IP address 207.202.147.45. However, a
reverse IP lookup of this address yields
ip45.gte147.dsl-acs2.sea.iinet.com, which is not the same thing at all.
Looking at something in the IN-ADDR space would get you IINet's opinion
of whether I have an MTA, not MY opinion of whether I have an MTA.
-- jimbo
-----Original Message-----
From: owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of
william(at)elan.net
Sent: Friday, May 21, 2004 3:25 AM
To: IETF MARID WG
Subject: [spf-discuss] PTR Domain validation idea
While some of you work on SPFID drafts for RFC822 From: header, I wanted
to run by others a different idea. Usually I advocated putting MARID
records into INADDR tree (as a resource to indicate if the ip should
be acting as SMTP client), the idea I have right now is to put MARID
records instead into domain of the PTR record for the ip.
This avoids problems you otherwise encounter with INADDR tree while
preserving
basicly same functionality. Additionally I propose this to be used in
conjunction with EHLO checking - if EHLO listed domain does not have
record indicating if it can act as SMTP client, then server can perform
same kind of lookup for domain it obtains by doing PTR query for the
connecting ip and it asks there if that ip can act as an smtp client.
This is pretty simple and should be effective against zombie computers
which in my view is the biggest problem and supports majority of spam
and that should be solved, the sooner the better.
Here is a practical example how this might work:
$ nslookup -querytype=PTR 216.151.192.4
4.192.151.216.in-addr.arpa name = wwwtelnet.elan.net.
$ nslookup -querytype=TXT wwwtelnet.elan.net
wwwtelnet.elan.net text = "v=spf1 -all"
$ nslookup -querytype=SRV _sa._smtp._tcp.wwwtelnet.elan.net
_sa._smtp._tcp.wwwtelnet.elan.net service = 0 0 0
2.0.0.127.IN-ADDR.ARPA.
P.S. For those who don't like PTR and INADDR tree in general, I note
that
AOL for one already requires that servers that connect to it have
valid PTR name. But valid name is not the same as valid smtp server
or the other way around.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net