spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Why not just use S/MIME or GPG signatures?

2003-10-07 13:56:16
from [Richard Pitt] [Permanent Link] 
One of the things to remember about DNS is the possibility (probability)
of locally caching previously looked up info. That is in fact one of the
beauties of DNS is its distributed caching and relative imperviousness
to the domain's primary and/or secondary DNS server being
unavailable/unreachable periodically.

A policy (in the MTA on the receiving end) might be a choice between
hard and soft error message to sender if DNS can't be resolved and cache
is old/non-existent - but any domain that you've talked to recently will
have its TXT stuff in your DNS cache anyway so most mail will flow in
any case. 

This means your MTA should be configured to look at the DNS info in
resolv.conf, not conduct its own DNS queries directly to the domain in
question (a needless complication of the software and non-intuitive)

richard
 
On Tue, 2003-10-07 at 13:36, Dustin Trammell wrote:

But what if the URL referenced in the TXT record is currently
unavailable?  A better solution might be to use the DNS security
extensions, which provide a mechanism for key distribution, or put the
key IN the TXT record, rather than a URL.

Ref: http://www.faqs.org/rfcs/rfc2535.html

---
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.


-----Original Message-----
From: Matthew [mailto:matthew(_at_)syrah(_dot_)us] 
Sent: Tuesday, October 07, 2003 3:15 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Why not just use S/MIME or GPG signatures?


On Tue, Oct 07, 2003 at 12:10:30AM -0700, Phil Karn wrote:

      2) domain.com uses DNS TXT records to publish the URL from
which its public key(s) can be downloaded.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡

-- 
Richard C. Pitt                 C.E.O. Belcarra Technologies
richard(_at_)belcarra(_dot_)com         direct: 604-644-9265    www.belcarra.com
Embedded Systems Communications Specialists - USB, ATM, LAN/WAN, Wireless
USB for Linux, Windows, MAC OS/X - USBLAN (tm) - drivers for USB mass storage
PGP Fingerprint: BA31 64B9 172D AF08 B174  B5BB 8E36 E56C F46D D371

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Why not just use S/MIME or GPG signatures?, Dustin Trammell
Next by Date:  Re: Why not just use S/MIME or GPG signatures?, Meng Weng Wong
Previous by Thread:  RE: Why not just use S/MIME or GPG signatures?, Dustin Trammell
Next by Thread:  Re: Why not just use S/MIME or GPG signatures?, Matthew
Indexes:  [Date] [Thread] [Top] [All Lists]