Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
Could you define what you view to be forgery?
http://www.ietf.org/internet-drafts/draft-irtf-asrg-lmap-discussion-01.txt
...
2.1. Unauthorized use of a domain name as "forgery"
In the context of LMAP, SMTP "forgery" is defined as:
SMTP Forgery: Use of a domain name in the argument fields of
SMTP EHLO/HELO and/or SMTP MAIL FROM, by an SMTP client, when
the owner of the domain name did not consent to that use of
their name.
...
Listing services are often more robust than a typical DNS server.
If a DNS server holding MARID information isn't robust, then it will
most likely also fail for MX records, in addition to MARID records.
I don't see how "robustness" matters more for DNS when it contains
MARID records than when it doesn't. Sure, more records are being
looked up in DNS, but many MTA's already do MX lookups when receiving
mail "from" a domain, in an attempt to implicitly discover the domain
owners intent, even when there's no standard saying that they should
do this.
The nature of a listing service returns a single record in response
to a single query. Do you see this model being changed with
Sender-ID?
This is explained in:
http://www.ietf.org/internet-drafts/draft-ietf-marid-core-01.txt
My reading indicates that multiple DNS queries may be performed to
discover the location of one record, but the intention of the draft
appears to be that records should often be obtained via one query.
The information in the record may indicate that other DNS queries
may be performed (e.g. MX). Again, do you read the draft as saying
otherwise?
Many MTA's already do multiple DNSBL lookups. Do you see that
multiple DNSBL lookups by an MTA are substantially different/better
than one MARID record, possibly requiring multiple lookups? Do you
see that MX lookups by existing MTA's are substantially
different/better than one MARID record, possibly requiring multiple
lookups?
DNS routing information is normally obtained at a connection rate as are
queries to listing services.
I'm not sure what you mean by that. I'm not even sure I can parse
that sentence properly.
To take a wild guess, MARID lookups happen only when there are SMTP
connections, therefore any lookups happen at a similar "connection
rate" as queries to listing services. The constant may be different,
but the dependency on connections is the same.
Or, do you see Sender-ID as having an amplification problem? e.g.
If MARID queries increased super-linearly with the number of
connections. If so, it would be a serious flaw in the proposal.
Since the distribution of SMTP traffic to/from most sites is
non-linear across domains, and DNS information is cached, I would
expect that MARID queries would increase linearly with the number of
unique domains used in SMTP conversations, but (often) sub-linearly
with the total number of SMTP connections.
Isn't the information for Sender-ID obtained at a much higher than
these routing functions you compare it to?
... much higher... what? There's a word missing.
I *think* you're saying that Sender-ID requires more lookups than
are currently required. This isn't news. For details as to the cost
of these lookups, see the list archives. They contain posts from
others with quantitative summaries, describing the extra DNS costs of
MARID, and concluding that those costs are minimal.
Alan DeKok.