[Top] [All Lists]

Re: Options for the ID Command

2005-05-17 19:24:03

At 09:47 PM 5/17/2005 -0400, Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:

On Tue, 17 May 2005 18:25:03 PDT, David MacQuigg said:

> Before we get too far off track, let's recall the question - How can we
> have a neutral ID Declaration, when the different authentication methods
> expect different fields in an email to be the ID?

Exactly the problem you're failing to solve.

> Have I answered that question?

No, you haven't.

We seem to be at an impasse. There is some difference between your understanding of the situation and mine, and I have no idea what that difference is. Maybe someone else can jump in at this point.

> Do you understand how having an ID declaration avoids multiple
> queries, "hunting" for DNS records?

Nope. In fact, you just made me make *another* lookup to find out that you
support SPF.  I'll still have to do the SPF queries.

Only if all your SPF parameters don't fit in the _AUTH record. Normally, that record would provide everything you need to authenticate a transfer.

Do you understand what I mean by "hunting"?  Back to our previous exchange:

On Tue, 17 May 2005 02:08:44 PDT, David MacQuigg said:

>        EHLO
>        MAIL FROM:<bob(_at_)sales(_dot_)some-company(_dot_)com>
> What do you do next?

*I* get to decide that. If I wish to do SPF checks, I perform the required SPF
checks.  If I wish to check a Yahoo-style signature, I do that. And so on.

You will waste a bunch of DNS queries and possibly conclude this message offers no authentication. For each possible Identity (,,, you need to search every possible location for DNS records (<Identity>, _client._smtp.<Identity>, ...), and we still haven't searched all the header identities.

Do you understand what I am saying here?

< end of discussing on ID command >
< start of separate discussion on proposed DNS records >

Listing the DK2 under the _AUTH is *broken* - that's something you *really*
need to go back to the DNS *of the domain* to fetch. "Here - verify this
purported domain using the key that's stashed someplace under my control, not
someplace under the control of the purported domain".

The only records we trust are the ones in the Registry. The Registry gets its information on ratings from the rating services, and its information on authentication methods from the domain owner. It is not normally necessary to make a separate query to the domain.

"Here's some PGP-signed stuff from President Bush. To prove it, I've appended
his public key. Honest! It's really his!" :)

Read the proposal.

> The record above was for a really huge domain,  I'll be happy to
> discuss with you the proposal for DNS authentication records, but first,
> let me know that you have read the proposal.

I'm glad it works for your tiny, non-complicated domain that only sources
RR.COM and only from 11 addresses. Let me know what the DK2 would look like if those 11 outbound servers *also* hosted e-mail for 10K domains each (remember -
they probably need separate DK entries for each hosted domain...)

The record for includes 6 blocks of 170 IP's and 5 blocks of 4 each. Read the proposal.

************************************************************     *
* David MacQuigg, PhD     email: david_macquigg at     *  *
* IC Design Engineer            phone:  USA 520-721-4583      *  *  *
* Analog Design Methodologies                                 *  *  *
*                                 9320 East Mikelyn Lane       * * *
* VRS Consulting, P.C.            Tucson, Arizona 85710          *
************************************************************     *

<Prev in Thread] Current Thread [Next in Thread>