Todd Glassey wrote:
Daniel Senie wrote:

On Apr 14, 2009, at 2:54 AM, Douglas Otis wrote:


On Apr 13, 2009, at 7:01 PM, Mark Andrews wrote:

If a application is doing the wrong thing w.r.t. SRV records then fix the application. The root servers can handle a A and AAAA queries for ".". Most cache's will correctly
negatively cache such responses.

As for "MX 0 ." the sooner this gets defined as no SMTP service for this domain the better. The cost for changing this is only every going to increase.

It may take years before a significant portion of SMTP servers recognize root domains as meaning no service. An alternative would be to require MX records to assert SMTP service. A positive assertion will not impose additional burdens on root servers, but will necessitate explicit DNS provisions to exchange SMTP messages. With 19 out of 20 messages being abusive and largely from compromised systems, requiring a domain to assert their intent to exchange public SMTP messages will encourage adoption without burdening root servers with strategies sure to generate extraneous traffic beyond their control.

SRV records have demonstrated the inability of roots to ensure applications mitigate extraneous traffic. Expanding upon this failure seems sure to result in a growing number of wildcard MX records targeting roots. Negative caching of randomly spoofed domains might not be an effective control. It seems unwise to encourage a greater use of wildcard records that target roots.

I agree with Doug. The most reasonable course of action would be an IETF document, perhaps a BCP, that indicates SMTP transports should ONLY do MX lookups to find the mail server for a domain, and not fall back on A records. I'd endorse this, and would work on such a document if there were interest. The big question is whether it would be done in DNSOP, since it affects how DNS records are interpreted, or in the defunct SMTP group's list, since it affects how mail servers interpret DNS information.

I specifically do NOT agree with the "MX 0 ." approach, and do not see any reason why this would be a better solution than simply not having MX records at all. True, during implementation of an MX requirement, some portion of sites might have difficulty receiving email until they add an MX record. But adding MX records is a well-known process, and the effort for those domains that haven't bothered with them in the past will not be onerous
Daniel the reason is simple - because defining a MX 0 shows a specific intent. Having no MX record at all shows sloppy domain management and that there was no properly formed domain profile in the master public lookup's, i.e. DNS. By the way NEA desparately needs the ability to find a MX service in its operations IMHO.

So the idea is that there really isnt a need to make the world a better place for sloppy domain admin's, but that there is a need to properly define the positive and negative status of any domain element
"Proper" is in the eye of the beholder. I happen to think it's more "proper" for a NODATA response to an MX query to signal the absence of mail deliverability to a particular domain, which it unambiguously and with "specific intent" does if and when the A/AAAA failover is removed from the SMTP specification.

I'll note that the only subset of domain admins who would be negatively impacted by the removal of A/AAAA failover from SMTP, are those who are currently receiving mail by forcing clients to perform that failover. The polite and courteous thing is to provide MX records regardless, to save the mail clients one or more lookups. Is there a need to make the world a better place for impolite and/or discourteous domain admins?

I hereby register my support of removing A/AAAA failover from the SMTP specification (not that it carries much weight here on DNSOP, I realize), and my opposition to imbuing a certain MX target, namely, the root name, with a "special meaning" in this context, because a) these "special meaning" records use up resources that a NODATA response does not, and b) whenever the "special meaning" is -- as it is inexorably -- misinterpreted, or misunderstood, it results in more "junk" query traffic to the root nameservers.

-Kevin

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to