spf-discuss
[Top] [All Lists]

Re: Why are so many DNS requests necessary at all?

2005-03-31 16:11:24
You are assuming that one is validating the IP that the connecting MTA (sender) is connecting to your (receiver) mail server with. You are not. Or you are not JUST doing that.

What you are actually validating is that the Domain name in the MAIL-FROM is allowing their emails to originate from the IP that the MTA (sender) is connecting to your (receiver) mail server with.

(You may also/instead be validating the mail servers HELO/EHLO name, but that is a trivial distinction in this context, its still a foreign domain name being validated against the foreign IP)

rg(_at_)mdpd(_dot_)com wrote:

I hope I'm not speaking out-of-turn and I do realize that a lot of effort has been expended on this project thus far...

But, since I am not so familiar with this problem and I believe I may be able to provide a fresh perspective... Here is my question on the DNS topic:

Why are so many DNS requests necessary at all?

Because many IP's could be originating email that are allowed to say it is from a specific domain.

It seems to me that any system that needs IP verification via DNS should do so for only the one IP that it needs to verify. Simplified: reverse the verification role and have the DNS (server) zone verify the requested IP and then reply with a pass or fail type token (or it can return the IP itself or no IP if that IP fails.)

That is a good idea. But it does not fit within DNS confines, because there is not a 1-1 mapping of domain names to IP's. And because you cannot currently (to my knowledge) ask a DNS server the type of question I think you are proposing.

This approach seems more efficient and certainly more secure (since no information more than that which is already known is revealed.)

It is more efficient if such a server system exists. I don't think it does. Certainly not DNS; you ask for a resolution of a DNS name and a record type and get a response. A given IP however could be authorized to send email for MANY domains. By your method you need to ask the DNS server "is this domain authorized for this IP?". But all you can ask is "here is a domain, give me a record of type X". The result is usually an IP (traditional type of DNS) it can be a boolean response (usually faked in the form of a non routable IP) or some text string (TXT is what SPF uses) etc.

But make no mistake the question "is this domain authorized for this IP?" cannot be stated in the format "here is a domain, give me a record of type X". Hence your question cannot be answered by a DNS query (or at least not 1 DNS query).

If I am not seeing the big picture, someone please direct me to that picture (or link.) Again, I am not well versed on this problem I hope that has been made clear but I do wish to help it along (if at all possible.)

I hope this clears it up for you.

Terry

Thanks,

-Rudy Gomez

-JUST SAY NO TO SPAM!


--

___________________________________________________________
Sign-up for Ads Free at Mail.com
http://www.mail.com/?sr=signup <http://mail01.mail.com/scripts/payment/adtracking.cgi?bannercode=adsfreejump01>

------------------------------------------------------------------------
Sender Policy Framework: http://spf.pobox.com/ Archives at http://archives.listbox.com/spf-discuss/current/ Read the whitepaper! http://spf.pobox.com/whitepaper.pdf To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com


--
Terry Fielder
terry(_at_)greatgulfhomes(_dot_)com
Associate Director Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
Fax: (416) 441-9085

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com