On 05/22/2014 12:50 PM, John R Levine wrote:
so how is the server to know which DNS domains it should trust?
Trusting every DNS domain that references the server makes no sense
because anybody can reference your server in their DNS domain. So at
a minimum the application server needs to know which DNS domains to
trust.
Yeah, that's one of the reasons I think it's a bad idea. If we had
something like CLONE that flipped the direction of the pointer so the
canonical name controled what its aliases were, it might be a slightly
less bad idea.
Having DNS dictate the behavior of applications is one of those
perpetually recurring Bad Ideas that needs to be soundly defeated. I
wish I could understand why anyone thinks it makes sense.
(Maybe there's some psychology in effect here - the DNS records are
simple and publicly visible, the application configuration is rarely
simple and not publicly visible, so whenever people see that the two are
out-of-sync, people somehow assume that the DNS is right? As far as I
have been able to tell, it's actually slightly more probable that it's
the DNS that is wrong - again, because the DNS administrators tend to be
at some distance from the people who actually run the applications.)
I do think it makes sense for applications to be able to check DNS to
make sure that the DNS configuration matches the application
configuration. Even better would be to let the application update DNS
- but that would require DNS servers to have fine-grained authentication
and ACLs.
Keith
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp