[Top] [All Lists]

Re: Options for the ID Command

2005-05-17 18:25:39

At 08:27 PM 5/17/2005 -0400, Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:
On Tue, 17 May 2005 16:42:27 PDT, David MacQuigg said:

Re-inserting the previous paragraph for context:

The ID declaration is independent of the method, because we defer selection of the method until the next step, which is the DNS query. The response to that query tells you what methods the ID offers for authentication, and each method may place additional restrictions on other identities in the email.

For example, let's say you get an email like this:

   MAIL FROM:<bob(_at_)sales(_dot_)some-company(_dot_)com>
> Checking the TXT record at gets a response:
>     svc=S1:A,M2:A,H1+:B  dmn=QR1,SPF1+5,DK2
>     QR1=ip4:?170(24.30.23;24.28.200;24.28.204;24.30.18;24.93.47;24.25.9),
>       +4(;;;;
>       o6lMIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7
>       EXzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB
> The supported methods are QR1, SPF1, and DK2.  QR1 makes no demands on any
> other identities.  It just says "Any IP outside these blocks is not
> us."  SPF1 requires that either the MAIL FROM or the HELO identity match
> the declared Identity, and DK2 calls for a signature check using the public
> key provided in this record.

You're *still* missing the point. All you've done is pushed it into a *huge* DNS
record.  Or multiple huge DNS entries, more likely.

That record is 349 bytes, well within the 512-byte DNS packet size. The cost is measured in DNS queries, not number of bytes. We minimize that cost by packing as much as possible into one record, putting simple methods like QR1 first, and in general trying to make authentications finish with one or fewer queries. Fewer happens when you can use the same record for multiple servers, thus making the local cache effective.

Before we get too far off track, let's recall the question - How can we have a neutral ID Declaration, when the different authentication methods expect different fields in an email to be the ID? Have I answered that question? Do you understand how having an ID declaration avoids multiple queries, "hunting" for DNS records?

I added the detail above, just to illustrate the answer, not to start a new argument on DNS record formats. It is very frustrating to answer a question three times and not be sure if the answers were understood.

Describe how to configure this to support the following:

1) 3 domains through, which could each be sourced from
either or and support SPF, doesnt..
In addition, test1 and test3 support your AUTH scheme, but doesnt.

2) In addition, is the only host for through, each
of which has a separate DomainKey.

How many _AUTH entries did you need here?

OK. That too simple?

Describe how to do it for Postini or Comcast.

The record above was for a really huge domain, I'll be happy to discuss with you the proposal for DNS authentication records, but first, let me know that you have read the proposal. - draft-macquigg-authent-dns. Also, the namedroppers list might be a better forum for that discussion.

************************************************************     *
* David MacQuigg, PhD     email: david_macquigg at     *  *
* IC Design Engineer            phone:  USA 520-721-4583      *  *  *
* Analog Design Methodologies                                 *  *  *
*                                 9320 East Mikelyn Lane       * * *
* VRS Consulting, P.C.            Tucson, Arizona 85710          *
************************************************************     *

<Prev in Thread] Current Thread [Next in Thread>