spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Why are so many DNS requests necessary at all?

2005-03-31 21:26:33
from [test only] [Permanent Link] 
This is a reasonable question, Rudy.

One can make the assertion that once IP is validated by a domain (the first
time)  it doesn't matter what other domain is used against the same IP.

For this assertion to be untrue, it would have to be the client has been
exploited (open relay for example).  But you will never be able to find this
out unless a statistical based restriction is used (i.e, too many same
client fails).

In other words, once the IP is authorized by SPF,  you have a reduced need
to perform additional SPF lookup when the same client connects.  A time
expiration cached can be used to determine when a refresh check should be
done.

This might be translated to a SPF directive where the policy exposes a
refresh time. However, that would need to be secured with a server overide
refresh time because you don't want a client saying "This record is good for
X months!"

I like the refresh idea because I also think we need a SPF record expiration
concept to help Neutral/SoftFail people get off their butt to finish their
migration plans.

Sincerely,

Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
305-431-2846 Cell
305-248-3204 Office
http://www.winserver.com/wcsap (Wildcat! Sender Authentication Protocol)
http://www.winserver.com/spamstats  (WcSAP Anti-Spam Stats)



----- Original Message -----
From: <rg(_at_)mdpd(_dot_)com>
Newsgroups: spf.-.sender.policy.framework.discussion
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, March 31, 2005 5:44 PM
Subject: [spf-discuss] Why are so many DNS requests necessary at all?



I hope I'm not speaking out-of-turn and I do realize that a lot of effort

has been expended on this project thus far...

But, since I am not so familiar with this problem and I believe I may be
able to provide a fresh perspective... Here is my question on the DNS topic:



Why are so many DNS requests necessary at all?

It seems to me that any system that needs IP verification via DNS should do
so for only the one IP that it needs to verify. Simplified: reverse the
verification role and have the DNS (server) zone verify the requested IP and
then reply with a pass or fail type token (or it can return the IP itself or
no IP if that IP fails.)

This approach seems more efficient and certainly more secure (since no
information more than that which is already known is revealed.)

If I am not seeing the big picture, someone please direct me to that picture
(or link.) Again, I am not well versed on this problem I hope that has been
made clear but I do wish to help it along (if at all possible.)



Thanks,

-Rudy Gomez

-JUST SAY NO TO SPAM!


--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://www.mail.com/?sr=signup



----------------------------------------------------------------------------
----
Sender Policy Framework: http://spf.poboxcom/ Archives at
http://archives.listbox.com/spf-discuss/current/ Read the whitepaper!
http://spf.pobox.com/whitepaper.pdf To unsubscribe, change your address, or
temporarily deactivate your subscription, please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Standard Authentication Query, Radu Hociung
Next by Date:  Re: Why are so many DNS requests necessary at all?, william(at)elan.net
Previous by Thread:  Re: Why are so many DNS requests necessary at all?, David MacQuigg
Next by Thread:  Re: Why are so many DNS requests necessary at all?, william(at)elan.net
Indexes:  [Date] [Thread] [Top] [All Lists]