SPF-compiling DNS Server
2005-03-24 10:03:49
At 08:51 PM 3/23/2005 -0500, Radu wrote:
<...>
If DNS servers would include a record compilation function, then it would
be no problem to have a very low limit for SPF records that are given by
authoritative server to queries, and an arbitrary, much higher limit for
the records that the compiler uses as input.
<...>
Thus, the record configured by the zone admin and the record served by the
server software would be completely different, but equivalent. The former
would be heavy with convenient A, MX, INCLUDE mechanisms, while the later
would be a list of IPs ending in a redirect.
I think the compiling-DNS server idea is brilliant, and it is just the
solution to the DDOS problem described, but only if it is coupled with a
low limit on the checker processing. Otherwise, it's marginally useful.
The version of libspf2 that I am working on will include compile
functionality, and I will also demonstrate a patch to MyDNS that
implements a built-in compiler. I suspect it will be a very simple patch
as the compile function is in the library. Then perhaps others can follow
the example and create patches for other name servers.
If standardization of SPF is some time away (1 year or more), there will
be plenty of transition time for NS servers to be updated. Note that not
all domains will need to update their server, they can simply use
spfcompile and $INCLUDE its output, or just publish records that comply
with the draft. Public NS services that allow users to publish arbitrary
TXT records will likely want to consider updating, in order to offer
maximum convenience to their customers.
This way, the DNS servers are not _required_ to be upgraded. If not
upgraded, the records published through them will have to be cheap. If
updated, the records published through them will be convenient. I think
this will be a good incentive for those who want to publish convenient
records to upgrade, without forcing anyone else to upgrade.
In addition to patches for the various name servers, it would be nice to
have something that could be deployed rapidly, without even stopping a
running DNS server. Then when the new admin needs to update an SPF record
written a year ago by someone who left the company, all he has to do is
download a wizard with a nice user interface, something like mxtoolbox.com.
Take a look at how that website displays the SPF record for pobox.com. We
have a very nice tabular format, with descriptions for each
mechanism. That could be an editable listbox. Then below that we have the
string-formatted record. This is where we could add a warning - too many
lookups, and a link to the Best Practices page. Below the formatted
record, we could display the fully-compiled record, ready to cut-and-paste
into your DNS server. (Or with the proper permissions set up, ready to
"Update Now" with a click of a button.) Maybe we need a warning here too,
in case the compiled record is longer than 512 bytes.
The wizard could also be used from the SPF website without any
download. The user would enter the domain name, and the wizard would load
the existing SPF record, ready to edit. The only limitation would be you
have to cut-and-paste the final result, rather than push an Update Now
button. Admins that do infrequent updates would likely use the web interface.
If we make this nice enough, admins will update their records long before
SPF-doom arrives.
-- Dave
************************************************************* *
* David MacQuigg, PhD * email: dmquigg-spf(_at_)yahoo(_dot_)com *
*
* IC Design Engineer * phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* * 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. * Tucson, Arizona 85710 *
************************************************************* *
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Re: DNS load research, (continued)
- Re: Re: DNS load research, Radu Hociung
- Re: Re: DNS load research, David MacQuigg
- Re: Re: DNS load research, Andy Bakun
- Re: Re: DNS load research, Radu Hociung
- Re: Re: DNS load research, Arjen de Korte
- Re: Re: DNS load research, Radu Hociung
- SPF-compiling DNS Server,
David MacQuigg <=
- Re: SPF-compiling DNS Server, Andy Bakun
- Re: SPF-compiling DNS Server, David MacQuigg
- Re: SPF-compiling DNS Server, Radu Hociung
- RE: SPF-compiling DNS Server, Guy
- Re: SPF-compiling DNS Server, Stuart D. Gathman
- Re: SPF-compiling DNS Server, Radu Hociung
- Re: SPF-compiling DNS Server, David MacQuigg
- RE: Re: DNS load research, Scott Kitterman
- Re: Re: DNS load research, Radu Hociung
- RE: Re: DNS load research, Scott Kitterman
|
|
|