On 05/22/2014 12:50 PM, John R Levine wrote:
>> so how is the server to know which DNS domains it should trust?
>> Trusting every DNS domain that references the server makes no sense
>> because anybody can reference your server in their DNS domain. So at
>> a minimum the application server needs to know which DNS domains to
>> trust.
>
> Yeah, that's one of the reasons I think it's a bad idea. If we had
> something like CLONE that flipped the direction of the pointer so the
> canonical name controled what its aliases were, it might be a slightly
> less bad idea.
Having DNS dictate the behavior of applications is one of those
perpetually recurring Bad Ideas that needs to be soundly defeated. I
wish I could understand why anyone thinks it makes sense.
(Maybe there's some psychology in effect here - the DNS records are
simple and publicly visible, the application configuration is rarely
simple and not publicly visible, so whenever people see that the two are
out-of-sync, people somehow assume that the DNS is right? As far as I
have been able to tell, it's actually slightly more probable that it's
the DNS that is wrong - again, because the DNS administrators tend to be
at some distance from the people who actually run the applications.)
This, if anything, understates the problem. It's actually pretty common
for the DNS admins to be in a different part of the org and for coordination
processes to be overly onerous, usually due to political turf-grabbing.
You'd think that such ring-tailed idiocy would not be tolerated when there
are lots of domains involved, but it often is.
You also run into other types of name-related lunacy like, "Due to the
tremendous and ongoing shortage of alphanumeric labels, you must place all your
host names in the same namespace as your external domains." Or, "I read the
Earthsea trilogy while stoned and therefore believe that knowledge of a name
confers power over what it names, so none of these names can be exposed in
message header."
I do think it makes sense for applications to be able to check DNS to
make sure that the DNS configuration matches the application
configuration.
Yep. Sites with lots of domains do this routinely.
Even better would be to let the application update DNS
- but that would require DNS servers to have fine-grained authentication
and ACLs.
In my experence it's sometimes done by generating sections of zone files from
the directory or whatever, which then get fed through some sort of automated
update process.
Ned
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp