Re: I-D Action:draft-klensin-rfc2821bis-10.txt
2008-04-25 12:37:38
On Apr 24, 2008, at 7:30 PM, Hector Santos wrote:
Robert A. Rosenberg wrote:
Well, an explicit MX does not resolve this problem of a response
address not being reachable.
You said that "validdomin.com" is a valid domain so attempts to
send to the no-reply address will get to the SMTP server supporting
validdomin.com which will then send a "No Such User" reply (which
in my book qualifies as reachable since the message to no-reply WAS
delivered to the SMTP Server (but then rejected).
My overall point, in so many words, was that mandating an MX record
requirement is meaningless IF the GOAL of the mandate is to thwart
bad guys.
Bad-actors run an overwhelming majority of SMTP clients. If or when
IPv6 is introduced, IP addresses will quickly become less useful in
defending against a rising level of SMTP exploitation. Name mismatch
must be tolerated in reverse zone due to PTR set limitations.
Administrative errors often found within the reverse zone and the
added number of labels for IPv6 ensure checking reverse names will
remain burdensome. Names found in the reverse zone are often used
only to make guesses about the nature of the related address. These
guesses are based upon inconsistent and non-standardized conventions,
especially for classless delegations. Within the forward zone, unlike
address records, MX records exclusively support the SMTP service.
Unless a domain offers clear indications of supporting SMTP by
publishing discovery records, recipients should forgo other validation
checks.
Some expect hosts to publish bogus MX records to "opt-out" and avoid
what might become a significant amount of undesired traffic related to
SMTP service, signatures, and policy validations. Of course, an
equitable solution would be to require valid MX records for those
supporting SMTP and SMTP extensions, where upon not finding an MX
record would indicate the extension is not supported. Without at
least an A record, SMTP itself is not supported.
Policy assertions may assist in mitigating some exploitation. Rather
than flooding name space with synthesized policy records, policy
should be published in conjunction with the discovery records for the
specific service. While many may dismiss a concern about the
application of policy scaling, policy tactics should be expected to
evolve. A means to scale policy must be established. Policy can
scale when published only in conjunction with explicit discovery
records.
Clearly, what does not scale and what would be most unfair is to
expect every host to publish bogus discovery records for all
problematic public message exchange protocols. It is not about
thwarting bad guys, it is about mitigating undesired traffic for those
not involved with the problematic protocol.
-Doug
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: I-D Action:draft-klensin-rfc2821bis-10.txt, (continued)
- Re: I-D Action:draft-klensin-rfc2821bis-10.txt, Peter J. Holzer
- Re: I-D Action:draft-klensin-rfc2821bis-10.txt, Robert A. Rosenberg
- Re: I-D Action:draft-klensin-rfc2821bis-10.txt, Hector Santos
- Re: I-D Action:draft-klensin-rfc2821bis-10.txt, Arnt Gulbrandsen
- Re: I-D Action:draft-klensin-rfc2821bis-10.txt, Hector Santos
- Re: I-D Action:draft-klensin-rfc2821bis-10.txt, Paul Smith
- Re: I-D Action:draft-klensin-rfc2821bis-10.txt, Hector Santos
- Re: I-D Action:draft-klensin-rfc2821bis-10.txt,
Douglas Otis <=
- Message not available
- IPv6 considerations (was: I-D Action:draft-klensin-rfc2821bis-10.txt), Frank Ellermann
- Re: I-D Action:draft-klensin-rfc2821bis-10.txt, Lisa Dusseault
- Re: I-D Action:draft-klensin-rfc2821bis-10.txt, Keith Moore
- Re: I-D Action:draft-klensin-rfc2821bis-10.txt, Hector Santos
- Sheep look up (was: I-D Action:draft-klensin-rfc2821bis-10.txt), Frank Ellermann
- Re: I-D Action:draft-klensin-rfc2821bis-10.txt, Robert A. Rosenberg
- Re: I-D Action:draft-klensin-rfc2821bis-10.txt, Hector Santos
- Block IPv6-only at the border (was: I-D Action:draft-klensin-rfc2821bis-10.txt), Frank Ellermann
- Re: Block IPv6-only at the border (was: I-D Action:draft-klensin-rfc2821bis-10.txt), Sabahattin Gucukoglu
- Re: Block IPv6-only at the border (was: I-D Action:draft-klensin-rfc2821bis-10.txt), John C Klensin
|
|
|