At 11:48 AM 3/24/2004 -0500, you wrote:
From: Bob Poortinga <spf(_dot_)10(_dot_)bobp(_at_)antichef(_dot_)net>
Subject: Extending SPF to IN-ADDR.ARPA space
Date: Tue, 23 Mar 2004 20:55:38 -0500
[I did a brief survey of the archives and couldn't any related ]
[discussions. Pardon me if this has been discussed before. ]
SPF in its current form implements a method for domain name administrators
to express policy through TXT records in the domain name space. SPF
could reasonably be extended to express policy for IP space administrators
through TXT records in the IN-ADDR.ARPA name space, e.g:
1.168.192.in-addr.arpa. IN TXT "v=spf1 -all"
would mean that *no* hosts in 192.168.1.0/24 are authorized to initiate SMTP
sessions. Of course, not all SPF modifiers would be applicable to TXT
records in IN-ADDR.ARPA and some additional modifiers may be necessary
to provide complete policy expression, but I believe that this would be an
excellent method for NSPs and ISPs to publish IP space policy.
To the above zone, one could add:
1.1.168.192.in-addr.arpa. IN TXT "v=spf1 +all"
to allow SMTP from 192.168.1.1 or possibly:
1.168.192.in-addr.arpa. IN TXT "v=spf1 ip4:192.168.1.1 -all"
or
1.168.192.in-addr.arpa. IN TXT "v=spf1 a:smtp.example.com -all"
where smtp.example.com resolves to 192.168.1.1.
BTW, AFAIK, there are no prohibitions against TXT records in IN-ADDR.ARPA.
This is an idea that popped into my head in a reply to the SPAM-L list.
If I'm all wet, pardon the intrusion.
--
Bob Poortinga K9SQL
Technology Service Corp.
Bloomington, Indiana US
*********************** REPLY SEPARATER *************************
The idea certainly has merit. As a matter of fact, that is initially how I
thought SPF was going to be implemented. If you point "Lookup" at our DNS
server <server1.yellowhead.com>, set type=any, and query
<5.104.34.207.in-addr.arpa>, you get:
5.104.34.207.in-addr.arpa name = mail.yellowhead.com
5.104.34.207.in-addr.arpa text =
"_smtp_client.yellowhead.com."
"spf=allow"
That was an interpretation error on my part, but it certainly shows that it
can be done. Unfortunately, I don't know how you would implement that with
a cidr-length. The only way I could do it was with a specific statement for
each reverse address.
As an ISP, it would allow me to have total control over my own address
space (which I really like). It would even get around the problem of broken
forwards. One simple reverse lookup on the sending address would tell the
receiver if the sender is authorized to send mail (period). The domain name
doesn't really matter. If any of my customers want to be able to send mail
directly, they would have to get us to configure the DNS server. NO MORE
UNAUTHORIZED MAIL SERVERS, and no more virus activity that is not properly
routed.
I like it!
J.A. Coutts
Systems Engineer
MantaNet/TravPro