ietf-smtp
[Top] [All Lists]

Re: MX Domain Name --> Was Re: Some Ideas I would like to Bounce off ya

2004-02-12 03:13:07
On Thu, 12 Feb 2004 04:33:42 EST, Hector Santos said:

I'll wait until you have implemented SPF into your SMTP software or script
or whatever and then when you see the overhead,  then maybe^H^H^H^H^HMAYBE
you more enlighten to the situation.

There's a bunch of things in SPF that look to be a total crock performance
wise, in particular the 'include', 'redirect', and 'exp' methods.

It may indeed be possible to recast these as MX entries.  But so far,
you haven't shown anything remotely workable.  Let's look at the worst case
for the AOL entry:

1) We need to do 1 DNS query when they connect to get the TXT record.
If one of the ip4: headers matches, we're done.

2) If none match, we're doing 1 PTR lookup.

That's it.  Two queries.  The only way you can do any better is by getting
it down to a single query - and given the constraints of the MX format,
what you're basically doing is a RBL whitelist (think about it).

hmmm, lets see if they have it implemented yet....NOPE.   That means I can't
add it to my server-side list of SPF supported domains yet.   Again Its only
good for local^H^H^H^H^HLOCAL Domains.

You seem to be very confused about who publishes an SPF record, and for
who's consumption.  You don't need to keep a server-side list, *that's the
reason for the TXT record*.  You check it when you get an inbound connection
that claims to be 'MAIL FROM:<(_dot_)(_dot_)(_at_)AOL(_dot_)COM>'.  AOL 
provides that data for
your benefit.  They probably aren't checking SPF records themselves at
the moment (they ran a weekendlong test recently), mostly due to the
lack of domains supporting it.

But you'd not detect that until *your* site tried to send mail *to* AOL.
At which point they'd just try to look up your SPF record, which either
is or isn't in the DNS.  If you're adding them to a list, you're doing
something very stupid and anti-SPF - only publishing the SPF data to
sites known to check for it is a big dis-incentive for other sites to
start checking.  If you want to publish SPF, just put the damned thing
in the DNS and be done with it.  You have better things to do than
go through the 40 million .COMs and add them each to your server-side
list of things that check for SPF records (unless you're trying to
re-invent the X.400 concept of ADMD/PRMD, in which case I'll quote
Randy Bush and invite you to design your network that way ;)

It certainly looks implemented from here:

% dig aol.com txt

; <<>> DiG 9.2.3 <<>> aol.com txt
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20101
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;aol.com.                       IN      TXT

;; ANSWER SECTION:
aol.com.                300     IN      TXT     "v=spf1 ip4:152.163.225.0/24 
ip4:205.188.139.0/24 ip4:205.188.144.0/24 ip4:205.188.156.0/24 
ip4:205.188.157.0/24 ip4:205.188.159.0/24 ip4:64.12.136.0/24 ip4:64.12.137.0/24 
ip4:64.12.138.0/24 ptr:mx.aol.com ?all"

;; AUTHORITY SECTION:
aol.com.                2652    IN      NS      dns-07.ns.aol.com.
aol.com.                2652    IN      NS      dns-01.ns.aol.com.
aol.com.                2652    IN      NS      dns-02.ns.aol.com.
aol.com.                2652    IN      NS      dns-06.ns.aol.com.

;; ADDITIONAL SECTION:
dns-07.ns.aol.com.      1386    IN      A       64.12.51.132
dns-01.ns.aol.com.      3237    IN      A       152.163.159.232
dns-02.ns.aol.com.      2722    IN      A       205.188.157.232
dns-06.ns.aol.com.      3190    IN      A       149.174.211.8

http://spf.pobox.com/ lists aol.com as publishing it as well.


Attachment: pgpagkS6bZ3uT.pgp
Description: PGP signature

<Prev in Thread] Current Thread [Next in Thread>