At 08:27 PM 5/17/2005 -0400, Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:
On Tue, 17 May 2005 16:42:27 PDT, David MacQuigg said:
Re-inserting the previous paragraph for context:
The ID declaration is independent of the method, because we defer selection
of the method until the next step, which is the DNS query. The response to
that query tells you what methods the ID offers for authentication, and
each method may place additional restrictions on other identities in the email.
For example, let's say you get an email like this:
EHLO mailserver7.bigforwarder.com
ID bigforwarder.com
MAIL FROM:<bob(_at_)sales(_dot_)some-company(_dot_)com>
>
> Checking the TXT record at _AUTH.bigforwarder.com.ID-check.net gets a
response:
>
> svc=S1:A,M2:A,H1+:B dmn=QR1,SPF1+5,DK2
> QR1=ip4:?170(24.30.23;24.28.200;24.28.204;24.30.18;24.93.47;24.25.9),
> +4(65.24.5.120;24.94.166.28;24.29.109.84;66.75.162.68;24.24.2.12)
> DK2=dk:MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5
> o6lMIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7
> EXzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB
>
> The supported methods are QR1, SPF1, and DK2. QR1 makes no demands on any
> other identities. It just says "Any IP outside these blocks is not
> us." SPF1 requires that either the MAIL FROM or the HELO identity match
> the declared Identity, and DK2 calls for a signature check using the
public
> key provided in this record.
You're *still* missing the point. All you've done is pushed it into a
*huge* DNS
record. Or multiple huge DNS entries, more likely.
That record is 349 bytes, well within the 512-byte DNS packet size. The
cost is measured in DNS queries, not number of bytes. We minimize that
cost by packing as much as possible into one record, putting simple methods
like QR1 first, and in general trying to make authentications finish with
one or fewer queries. Fewer happens when you can use the same record for
multiple servers, thus making the local cache effective.
Before we get too far off track, let's recall the question - How can we
have a neutral ID Declaration, when the different authentication methods
expect different fields in an email to be the ID? Have I answered that
question? Do you understand how having an ID declaration avoids multiple
queries, "hunting" for DNS records?
I added the detail above, just to illustrate the answer, not to start a new
argument on DNS record formats. It is very frustrating to answer a
question three times and not be sure if the answers were understood.
Describe how to configure this to support the following:
1) 3 domains test1.com through test3.com, which could each be sourced from
either mail-out.testN.com or bigforwarder.com. Test1.com and test2.com
support SPF, test3.com doesnt..
In addition, test1 and test3 support your AUTH scheme, but test2.com doesnt.
2) In addition, bigforwarder.com is the only host for test4.net through
test6.net, each
of which has a separate DomainKey.
How many _AUTH entries did you need here?
OK. That too simple?
Describe how to do it for Postini or Comcast.
The record above was for a really huge domain, rr.com. I'll be happy to
discuss with you the proposal for DNS authentication records, but first,
let me know that you have read the proposal. purl.net/macquigg/email -
draft-macquigg-authent-dns. Also, the namedroppers list might be a better
forum for that discussion.
--
Dave
************************************************************ *
* David MacQuigg, PhD email: david_macquigg at yahoo.com * *
* IC Design Engineer phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. Tucson, Arizona 85710 *
************************************************************ *