Re: DNS Query Format
2005-03-24 14:19:16
At 11:04 AM 3/24/2005 -0700, Alan Maitland wrote:
Which IP address? IP Address in the DNS Query - did you mean
response? The IP address of the requesting party is already known. Sorry
to be obtuse, but I really don't understand what you mean.
As I understand it, an SPF query generated by a receiver does not include
the sender's IP address in that query. That IP address is passed as one of
the arguments to the check_host() function, but it is not used when
check_host() constructs the SPF query. The DNS server which receives the
query, therefore has no ability to run the SPF check itself, or to log the
IP for later forensics, etc.
We reached a consensus that having the DNS server run the check is no
advantage, and forfeits a major benefit of DNS, having the receiver cache
the response. If the DNS server responds with only "That IP is good.", the
answer is not as useful as "Here are all my authorized IPs. Don't ask
again for 24 hours."
We haven't yet decided if the remaining small benefit of sending an IP in
the query is worth the small price of changing the spec to add a few bytes
of new information.
I hope I got this right. :>)
-- Dave
At 09:21 AM 3/24/2005, you wrote:
It has been mentioned that the %{i} macro could be included in the
query, and then the server could reply with PASS/FAIL. I think this is
a bad idea, because all those queries are uncacheable, so this truly
circumvents the benefits that were designed into DNS. When the DDOS
attempt does happen, caching can really help lower the impact. It may
be that I didn't understand the proposal well enough.
Good point. I hadn't thought of that. Also, since the PASS/FAIL
response takes the same single IP datagram as a list of IPs, there is
not much to be gained.
One more thought on this topic: Even though we see no advantage now in
having a DNS server reply with a PASS/FAIL, would it be a good idea to
include the IP address in the DNS query anyway? That will add a
negligible 4 bytes to the query, and will allow for some future use of
this information. This might be, for example, a daemon that alerts a
domain owner when an IP in their domain attempts an unauthorized use of
the domain name. ( A zombie catcher !! )
I raise this question now, because it will be a lot easier to modify the
standard now than later.
-- Dave
************************************************************* *
* David MacQuigg, PhD * email: dmquigg-spf(_at_)yahoo(_dot_)com *
*
* IC Design Engineer * phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* * 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. * Tucson, Arizona 85710 *
************************************************************* *
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Re: DNS load research, (continued)
- Re: Re: DNS load research, Radu Hociung
- Re: Re: DNS load research, David MacQuigg
- DNS Query Format, David MacQuigg
- query format, load, and stunt servers, oh my, Andy Bakun
- New draft (was: query format, load, and stunt servers, oh my), Frank Ellermann
- Re: New draft (was: query format, load, and stunt servers, oh my), David MacQuigg
- Re: New draft, Frank Ellermann
- RE: HELO/EHLO Check Processing Limits (was: New draft (was: query format, load, and stunt servers, oh my)), Scott Kitterman
- Re: HELO/EHLO Check Processing Limits (was: New draft (was: query format, load, and stunt servers, oh my)), Frank Ellermann
- Re: DNS Query Format, Commerco WebMaster
- Re: DNS Query Format,
David MacQuigg <=
- Re: DNS Query Format, Chris Haynes
- Re: DNS Query Format, David MacQuigg
- Re: DNS Query Format, Chris Haynes
- RE: DNS Query Format, Scott Kitterman
- Re: DNS Query Format, David MacQuigg
- Re: DNS Query Format, Radu Hociung
- Re: DNS Query Format, David MacQuigg
- Re: DNS Query Format, Chris Haynes
- Re: DNS Query Format, william(at)elan.net
- Re: DNS Query Format, David MacQuigg
|
|
|