RE: Why are so many DNS requests necessary at all?2005-04-01 08:07:53Chris Haynes wrote: -snip- >Reasonable question. >The simplest answer - 'cause DNS does not hold the data we need. REPLY= That is what needs to be created - a new DNS record for that data. >The question being asked in SPF is 'is this IP address authorised to >send mail on behalf of this domain?'. DNS, with MX, gives you a list of >the hosts authorised to _receive_ mail, but not to _send_ mail. Hence >the need to (ab)use a DNS TXT field to list the authorised senders. REPLY= I agree on the need, I disagree with the TXT field. This reveals too much information. The authentication should be based solely on one IP and thus can not be done from the outside in. DNS ZONE ======== ; ; Database file TEST.com.dns for TEST.com zone. ; Zone version: 1 ; @ IN SOA dns.server. hostmaster.test.com ( 1 ; serial number 1000 ; refresh 1000 ; retry 86400 ; expire 3600 ) ; minimum TTL ; ; Zone NS records ; @ NS ns1.TEST.net. @ NS ns2.TEST.net. ; ; Zone records ; @ A 1.2.3.4 @ MX 1 mx.TEST.com. * A 1.2.3.4 =======additional======== 1.2.3.4 MXO 1.2.3.4 2.3.4.5 MXO 2.3.4.5 ====or==== MXO CNAME mxo.ISP.com ====or==== @ MXO mxo.ISP1.com MXO mxo.ISP2.com MXO 1.2.3.4 MXO 2.3.4.5 -snip- >This also shows that a single server (with a single numeric IP address) >might be used by hundreds or thousands of domains. Ihe ISP who owns the >numeric address has no idea which domains are (perfectly legally) going >to use that server for their outbound mail. I, for example, have 8 >different domains that I can use. I send all my outbound mail via one >ISP, who only knows about 1 of those 8. So the kind of lookup you >suggest just does not work because of the need to cross these >administrative boundaries. REPLY= Incorrect assumption, you can simply enter a CNAME in all your domains to list your ISP entry (for their sending servers.) >Returning to the normal, SPF lookups... under normal circumstances, >these look-ups are cached in the DNS system so, for example, if you receive hundreds of mails from small businesses all using the same ISP, you would only need one DNS lookup per message most of the time - the one in which the small business would 'include' the record of the ISP. You would, most of the time, already have that ISP's record in your local cache - so the situation is not as bad as you might think. REPLY= This is true for any DNS entry, not relevant for this argument. >What people are currently agonizing over, as I understand it, is >whether 'bad guys' can force there to be a huge number of look-ups - so >many that they overwhelm either a sender's or a receiver's DNS system. REPLY= This seems like a reasonable worry, but they (those bad guys) can already exploit DNS weaknesses without SPF. Since DNS allows for caching, this doesn't seem like such a threat (that is that is is creating a new type of threat.) -snip- >Chris Haynes -snip-
Sorry about th HTML, I can't seem to send from my regular email account - forced to use mail.com account. -Rudy Gomez -- ___________________________________________________________ Sender Policy Framework: http://spf.pobox.com/ Archives at http://archives.listbox.com/spf-discuss/current/ Read the whitepaper! http://spf.pobox.com/whitepaper.pdf To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
|
|
||||||||||||||||