RE: Wild card MXes
2004-05-29 00:47:04
--"Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> wrote:
Am I correct in understanding that right now nobody else on this list
is against use of wildcards except Bob from Microsoft (and I suppose
everyone else from same company) and that everybody else on this list
feels that they are important part of dns->email functionality.
Like Bob I just love wildcards to death. In fact I want more better
and more expressive wildcards.
I have yet to see any application for a MARID wildcard that makes
sense. MX wildcards are a 'catch' for mail sent to a machine that
has been deleted or otherwise does not exist.
Right. One application for MX wildcards (as used at my current workplace)
is, there are internal DNS names that are visible inside, but can't be
resolved by the outside world. So instead we accept mail for
*.ourdomain.com, and once it gets to our mailserver, it knows what to do
with it.
MARID needs to handle wildcard A or wildcard MX, either by a wildcard MARID
record, or by some algorithm we decide to use that finds other records and
then applies them.
Let's focus on the case where there are already wildcard MX or A records.
There may be other cases where you want a wildcard MARID record, but let's
focus on those two cases for now.
A MARID wildcard would only act if the NODE did not exist at all.
That means that mail is being sent from a machine with no DNS node.
I though the idea here was putting a stop to that type of thing.
Well. In the case of wildcard MX records, someone has decided they want to
receive that mail. When you say "That means that mail is being sent from a
machine with no DNS node," - would you say the same about a wildcard MX
record as it relates to incoming mail?
Anyway, if you are sending mail from a domain name (right hand side) that
doesn't correspond to either an A record or an MX record, you will already
have trouble getting the mail accepted -- sendmail in particular will say
that DNS name doesn't exist and refuse the mail without consulting SPF.
If the domain has a wildcard A record (for some web-hosting application
maybe) then maybe they want to use those unlisted name for web but not for
mail, so they may put a MARID record there that refutes all mail. That's
one possible application we should either support or spend time figuring
out a workaround.
In the case of wildcard MX (with or without A) you have decided to accept
the mail, so you should be able to send from it as well (and use marid
features on it.)
The question here is an engineering tradeoff between support for
a wildcard facility we may not use and the ability to differentiate
MARID records amongst TXT records.
I have provided one possible usage case for wildcard MARID records. I
believe we need them, and I believe putting _prefix before the domain when
attempting the MARID lookup doesn't address the problem. Of course if you
have a wildcard TXT record, _ep.xyz123.domain.com will work, but you get
the same result as xyz123.domain.com. In all other cases, _prefix does
allow you to differentiate the MARID record from the other TXT records. I
don't think there is a solution that solves both wildcards and removes
ambiguity at the same time or for the same set of users... users can either
use wildcards, or they can have separate records for _prefix.xxx.domain.com
that are separate and distinct from their TXT records for xxx.domain.com...
they cannot have both.
Now let me express my personal opinion. I HATE (HATE) the idea of
prepending a _prefix.
Since there has been a lot of attention and hand-wringing on the subject of
"Do we really need Wildcard records?" maybe we should now turn the question
on its head. Could someone come up with a case where real-life TXT records
exist, and there is a compelling need to differentiate the MARID record
from other TXT records? Since I don't know any real-world use cases for
TXT other than SPF, my knowledge is limited in this area.
But, PLEASE let's NOT automatically assume that publishing a TXT record for
the domain in question NEEDS to have a _prefix thrown in just for "good
measure". I have tried to make a case for why we need wildcards: pretty
much all you have to say is "Wildcard MX already exists in nature, so
people will probably want wildcard MARID". Now I would like to see someone
try to defend the need for adding a _prefix just as strongly. (I thought
this was one of the points of Ed's DNS presentation: DNS "subtyping" may
lead to problems, but so does _prefix and suffix)
My vote is probably going to come down on the side of using TXT records,
with no prefix added, and switching to the MARID RR type when one becomes
available on at least one mainstream mail server.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
|
|