ietf-mxcomp
[Top] [All Lists]

Re: Fwd: MARID use of reverse-DNS

2004-07-02 16:58:45


I've already commented that if RIRs consider it to much of an issue with 
adding new record into INADDR tree, we have an easy way out by checking 
some type of MARID record for corresponding PTR dns name. Currently major
ISPs (like AOL) already require valid PTR record for connecting hosts
and handling of PTR deligations is fairly well understood and documented 
by several RFCs.

I've talked about this with Meng and he included the info into unified SPF 
framework/proposal (please write that one up that proposal in more 
clear text then just online presentation). The only issue I had is that 
unified SPF did not provide syntax to delimiter PTR-only authorization 
records from some other type of SPF record, which required identity scope 
modifier and I think that was proposed as type of macro (although that 
would only be of use for redirects, right?). 

I do additionally note on the identity scope issue that nunber of identies 
is  likely to remain rather small. If you consider something other then 
macro and at the same time want to keep spf syntax small, then one 
modifier prefix symbol + one identify letter (i.e. two symbols) should be
be enough to add this info and not require multiple dns lookups. For 
example, lets say $ is a prefix symbol and identity symbols are:
m = envelope mail from, e = ehlo, p = ptr, s = submitter (rfc822 from)

Then spf syntax to use them might be:
  v=spf2 $sm?a/24 $p+ip4:192.168.0.0/16 $e+ptr $p~all -all
(note $sm means it applies to both submitter and mail from)

Additionally I think scoping in general, might be usefull. Could use "<" 
and ">" for that (maybe something else...), so here is another example:
  v=spf2 $sm<a/24 mx> $p<ip:192.168.0.0/16 ~all> $e+ptr -all

---
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net



<Prev in Thread] Current Thread [Next in Thread>