spf-discuss
[Top] [All Lists]

RE: DNS Wildcards Myth #1

2004-08-11 05:46:36

On Sun, 8 Aug 2004, Andriy G. Tereshchenko wrote:

William Leibzon wrote:  
[...]
And no-one had the idea to put the SPF record at the "spf1" 
subdomain?!

You can't make assumptions like that. What is stopping me 
from going to large ISP that provides its customers sites 
like userid.ispdomain.com for their homepage (number of them 
do) and asking for userid "spf1".

Take a read archives:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200407/0200.html

Here is an answer on your userid.ispdomain.com :
Why my ISP not willing to create mailboxes root(_at_)ispdomain(_dot_)com, 
postmaster(_at_)ispdomain(_dot_)com, abuse(_at_)ispdomain(_dot_)com for me ?

Why my ISP not willing to delegate me  www.ispdomain.com, 
ns.ispdomain.com, mail.ispdomain.com, ftp.ispdomain.com subdomains ?

Because all of this are reserved words. SPFv1 will be reserved too !!

Only somebody who have not read RFCs and have not run an ISP would 
make a statement like that.

First of all, please note that email is not same as dns, in fact while 
there is RFC2142 (http://www.faqs.org/rfcs/rfc2142.html) that specifies 
recomendation for email accounts. These accounts are NOT however reserved, 
they are what should be used for certain roles as has been established 
over the years by common practice. But only one email account is actually 
reserved name that should be followed universally and accepted by all 
domains - postmaster(_at_)domain(_dot_)com

Second there are NO RESERVED SUBDOMAINS at all (except _tcp and _udp 
possibly, see more below). The expectation of seeing www.domain.com or 
ftp.domain.com is simply that - an expectation per current practice. There 
is however nothing that says that website should necessarily be at www,
I could easily advertise and put my main website at web.domain.com or as 
many people do direct at domain.com. Similar for ftp or any other service. 
However to help identify proper domain or subdoman for certain service, dns 
folks actually created new record type SRV that allows each domain to 
specify what is the real subdomain and port that handles that service (see
http://www.faqs.org/rfcs/rfc2782.html). So for example to specify that 
domain.com provies web services at web.domain.com on port 8088, I could use 
dns record "_http._tcp.domain.com. SRV 0 1 8088 web.domain.com" (although 
in practice, web browsers dont yet support checking SRV and I've no idea 
when they would if at all, considering especially that HTTP standards are 
handled by W3 consortium and not by IETF).

Now as to the reasons why you can not receive certain usernames from ISP 
like "root", "ftp", "abuse", etc., it is not usually because they are
reserved but because ISP already set them up and is using those accounts 
itself. Some ISPs do have list of reserved names, but each ISP seem to 
have created their own list and most often its not because of dns subdomains
(in fact I know several ISPs have been burned by mischeif when they did not
include "NS", "DNS", "DNS1", "NS1" in the reserved names for example). ISPs
actually don't like modifying those lists, so don't expect that if you tell
them (even in RFC) that they would.

And if you think there are no ISPs that have users "spf" or "spf1", in 
fact its almost certain to exist for any ISP with 10k subscribers or more.
Having run ISP, I can tell you that 3 letter combinations are quickly 
grabbed because they are comming as initials and for many others small 
usernames are desired, so adding "1", "2" is often done by automated
programs when main preferred username is taken. Now think yourself of 
being  a user that will have to be told his username is now invalid 
because some  stupid group of geeks decided to reserve that name? Do you 
really think that user or his ISP is going to stand and follows this group?

To top it off, it is bad practice to user reserve service name that 
includes version number. Version is protocol specification and should
be used as part of that service itself, but not as naming convention for 
calling to the protocol from outside. That is why for example you dont see 
"http11"as name of service and only see "http".

-- 
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net


<Prev in Thread] Current Thread [Next in Thread>