On Apr 14, 2009, at 2:54 AM, Douglas Otis wrote:
On Apr 13, 2009, at 7:01 PM, Mark Andrews wrote:
If a application is doing the wrong thing w.r.t. SRV records then
fix the application. The root servers can handle a A and AAAA
queries for ".". Most cache's will correctly
negatively cache such responses.
As for "MX 0 ." the sooner this gets defined as no SMTP service for
this domain the better. The cost for changing this is only every
going to increase.
It may take years before a significant portion of SMTP servers
recognize root domains as meaning no service. An alternative would
be to require MX records to assert SMTP service. A positive
assertion will not impose additional burdens on root servers, but
will necessitate explicit DNS provisions to exchange SMTP messages.
With 19 out of 20 messages being abusive and largely from
compromised systems, requiring a domain to assert their intent to
exchange public SMTP messages will encourage adoption without
burdening root servers with strategies sure to generate extraneous
traffic beyond their control.
SRV records have demonstrated the inability of roots to ensure
applications mitigate extraneous traffic. Expanding upon this
failure seems sure to result in a growing number of wildcard MX
records targeting roots. Negative caching of randomly spoofed
domains might not be an effective control. It seems unwise to
encourage a greater use of wildcard records that target roots.
I agree with Doug. The most reasonable course of action would be an
IETF document, perhaps a BCP, that indicates SMTP transports should
ONLY do MX lookups to find the mail server for a domain, and not fall
back on A records. I'd endorse this, and would work on such a document
if there were interest. The big question is whether it would be done
in DNSOP, since it affects how DNS records are interpreted, or in the
defunct SMTP group's list, since it affects how mail servers interpret
DNS information.
I specifically do NOT agree with the "MX 0 ." approach, and do not see
any reason why this would be a better solution than simply not having
MX records at all. True, during implementation of an MX requirement,
some portion of sites might have difficulty receiving email until they
add an MX record. But adding MX records is a well-known process, and
the effort for those domains that haven't bothered with them in the
past will not be onerous.
I have used another solution as well, that being:
example.com. IN MX nomail.example.com.
nomail.example.com. IN A 127.0.0.1
Those attempting to spam a domain that doesn't accept email will get
upset with themselves, and not send packets to a server that's not
interested. This does, sometimes, result in error messages for the
sending server or their upstream relay, but keeps such alerts closer
to the sender (who is likely a spammer anyway).
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
