rg(_at_)mdpd(_dot_)com asked:
I hope I'm not speaking out-of-turn and I do realize that a lot of effort has
been expended >on this project thus far...
But, since I am not so familiar with this problem and I believe I may be able
to provide a >fresh perspective... Here is my question on the DNS topic:
Why are so many DNS requests necessary at all?
It seems to me that any system that needs IP verification via DNS should do so
for only >the one IP that it needs to verify. Simplified: reverse the
verification role and have the >DNS (server) zone verify the requested IP and
then reply with a pass or fail type token
(or it can return the IP itself or no IP if that IP fails.)
This approach seems more efficient and certainly more secure (since no
information more >than that which is already known is revealed.)
If I am not seeing the big picture, someone please direct me to that picture
(or link.) >Again, I am not well versed on this problem I hope that has been
made clear but I do wish >to help it along (if at all possible.)
Thanks,
-Rudy Gomez
Reasonable question.
The simplest answer - 'cause DNS does not hold the data we need.
The question being asked in SPF is 'is this IP address authorised to send mail
on behalf of this domain?'.
DNS, with MX, gives you a list of the hosts authorised to _receive_ mail, but
not to _send_ mail. Hence the need to (ab)use a DNS TXT field to list the
authorised senders.
In simple cases, that need only involve a single look-up. The multiple look-ups
usually arise if you have a Mail From domain who uses a different domain's
servers to send its mail. Almost all small/medium business and 'vanity' domains
are in this situation. They use an ISPs outbound mail servers. Now those ISPs
are not going to commit to using a stable set of servers for this (defined by
their numeric IP), so, for sensible change-control your small domain 'includes'
the ISP's record, which is then fetched at run-time by the receiver, so it is
known to be the current list used by the ISP.
There are several other situations like that which push up the number of lookups
needed.
This also shows that a single server (with a single numeric IP address) might be
used by hundreds or thousands of domains. Ihe ISP who owns the numeric address
has no idea which domains are (perfectly legally) going to use that server for
their outbound mail. I. for example, have 8 different domains that I can use. I
send all my outbound mail via one ISP, who only knows about 1 of those 8. So
the kind of lookup you suggest just does not work because of the need to cross
these admistrative boundaries.
Returning to the normal, SPF lookups... under normal.circumstances, these
look-ups are cached in the DNS system so, for example, if you receive hundreds
of mails from small businesses all using the same ISP, you would only need one
DNS lookup per message most of the time - the one in which the small business
would 'include' the record of the ISP. You would, most of the time, already have
that ISP's record in your local cache - so the situation is not as bad as you
might think.
What people are currently agonizing over, as I understand it, is whether 'bad
guys' can force there to be a huge number of look-ups - so many that they
overwhelm either a sender's or a receiver's DNS system.
I, personally, am not yet convinced that there has been a strong enough case
made to show that the current SPF1 system is inadequate or seriously 'at risk'
in this respect. Maybe I missed some convincing scenarios...
The last thing we should be doing is raising FUD about the current version
without _very strong_ reason.
I'd far rather see progress on getting the existing system written up and
published as an RFC.
Chris Haynes
p.s. Sorry - just taking the opportunity to vent my spleen at the end there.
Nothing to do with you, Rudy.
p.p.s BTW, it would be _much_ more convenient if you could post in plain text,
not HTML. Thanks