spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] [Fwd: How to mark domains that do / do not wish to receive email]

2008-03-26 19:35:45
from [Alessandro Vesely] [Permanent Link] 
AFAIK, SPF specs still mandate to add a TXT or SPF record for each
subdomain. IME, that is one of the most frequent omissions in SPF
configurations. The current spec requires an SPF record for each
name that has either an MX or an A record. Except for tiny domains,
that requires a script, which is probably why many admins skip it.

http://www.openspf.org/FAQ/The_demon_question mentions "v=spf1 -all"
as a suitable default text for wildcards.

The message I'm forwarding is about a related mail DNS setting, MX.
I wonder if next SPF update shouldn't change that point also. IMHO,
a default more appropriate than "?all" might be preferrable. (E.g.,
an additional "default" modifier, appended to a domain's SPF record,
could state that the last mechanism is to be assumed as the default
for subdomains that actually lack any TXT or SPF record.)

BTW, is there a draft and/or a schedule for next SPF spec update?

-------- Original Message  --------
Subject: How to mark domains that do / do not wish to receive email
Date: Wed, 26 Mar 2008 20:46:57 -0400
From: John Leslie <john(_at_)jlc(_dot_)net>
To: Mark Andrews <Mark_Andrews(_at_)isc(_dot_)org>
CC: ietf-smtp(_at_)imc(_dot_)org, Bill Manning <bmanning(_at_)ISI(_dot_)EDU>


   (I asked Mark to discuss this on <ietf-smtp> -- I'll provide context
where it seems needed...)

Mark Andrews <Mark_Andrews(_at_)isc(_dot_)org> wrote:

To: John Leslie <john(_at_)jlc(_dot_)net>

Mark Andrews <Mark_Andrews(_at_)isc(_dot_)org> wrote:

SM <sm(_at_)resistor(_dot_)net> wrote:

Mark Andrews <Mark_Andrews(_at_)isc(_dot_)org> wrote:


It is easy to turn "MX 0 ." into "This domain doesn't support
email" as "." is not confusable with a hostname.  There is no
reason to look up addresses records for "."


There was an I-D, draft-delany-nullmx-00, which didn't make it
to RFC status.


Which could just be a misconfiguration.   You still have to
look up addresses for "dev.null".


Yes.  People still do it.


Yes they do.  We, the IETF, have failed them by not providing
them with a clear mechanism to do what they want without bad
side effects.


   (The above is to give context.)


I well remember DNS gurus trying to deprecate the use of "."
wherever it might lead to queries to root servers for "." Is
this no longer an issue?


SRV say to use "." for "no service".


   This is indeed specified in RFC 2782.


RP say to use  "." for "does not exist".


   I think Mark means Responsible Person (RFC 1183).


There are already queries for A and AAAA queries for ".".
Codifing the use of "MX 0 ." will, in the long run, reduce
the number of such queries as MTA's get updated.


   I'm pretty sure Mark means that the additional usage will speed
the update of MTAs which now query for "." to stop making this
useless query.


The roots can handle the query load in the mean time.


   Mark is more of a DNS guru than I, certainly, so I tend to assume
he's right about this.

   However, widespread usage of this convention _could_ generate
rather a lot of potenital DNS queries as spammers continue to forge
Mail-From addresses which domain administrators attempt to mark as
"no incoming email accepted".

   (The volume of spam blowback dwarfs any current use of SRV and
RP records.)


I'm very confused that Bill Manning seems to be calling for

*    MX    .


I think you mean "* MX 0 ."


   (Indeed, I erred in typing this.)


and Bill was not saying that.


   Frankly, I have a lot of difficulty understanding _what_ Bill
Manning was saying, except that he didn't want to publish MX records.
I guessed he might mean that anyone who _didn't_ want a machine
probed for a port-25 server should publish MX records to say so.
(But, of course, he might just as well have meant you should block
port 25 -- I really don't know...)


Bill knows that a wildcard record will not have the desired
effect.  Adding a "MX 0 ." record along side a existing
record will have the desired effect.


   (Actually, I doubt that either Mark or I should attempt to speak
for Bill.)


It will be needed even *after* IPv6 takes over.  There will
be lots of queries for A records long after the majority
of hosts don't have A records.


   This is getting back to Mark's actual point -- that queries for
A (and/or AAAA) records for domains that don't want to participate
in SMTP is a bad use of the DNS system.

   I quite agree.


We need to remove the implict MX from A to prevent the A
record lookups occuring as things currently stand.


   I don't agree with "need to"; but I do think the SMTP world would
be a better place if we did.

--
John Leslie <john(_at_)jlc(_dot_)net>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/735/=now
RSS Feed: http://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [spf-discuss] Re: [spf-devel] Re: Upcoming new test-suite release, Stuart D. Gathman
Next by Date:  [spf-discuss] Re: Upcoming new test-suite release, Frank Ellermann
Previous by Thread:  [spf-discuss] Re: [spf-devel] Re: Upcoming new test-suite release, Stuart D. Gathman
Next by Thread:  [spf-discuss] Re: How to mark domains that do / do not wish to receive email], Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]