Todd Glassey wrote:
Daniel Senie wrote:
On Apr 14, 2009, at 2:54 AM, Douglas Otis wrote:

On Apr 13, 2009, at 7:01 PM, Mark Andrews wrote:

If a application is doing the wrong thing w.r.t. SRV records then fix the application. The root servers can handle a A and AAAA queries for ".". Most cache's will correctly
negatively cache such responses.

As for "MX 0 ." the sooner this gets defined as no SMTP service for this domain the better. The cost for changing this is only every going to increase.
It may take years before a significant portion of SMTP servers 
recognize root domains as meaning no service. An alternative would 
be to require MX records to assert SMTP service. A positive 
assertion will not impose additional burdens on root servers, but 
will necessitate explicit DNS provisions to exchange SMTP messages. 
With 19 out of 20 messages being abusive and largely from 
compromised systems, requiring a domain to assert their intent to 
exchange public SMTP messages will encourage adoption without 
burdening root servers with strategies sure to generate extraneous 
traffic beyond their control.
SRV records have demonstrated the inability of roots to ensure 
applications mitigate extraneous traffic. Expanding upon this 
failure seems sure to result in a growing number of wildcard MX 
records targeting roots. Negative caching of randomly spoofed 
domains might not be an effective control. It seems unwise to 
encourage a greater use of wildcard records that target roots.
I agree with Doug. The most reasonable course of action would be an 
IETF document, perhaps a BCP, that indicates SMTP transports should 
ONLY do MX lookups to find the mail server for a domain, and not fall 
back on A records. I'd endorse this, and would work on such a 
document if there were interest. The big question is whether it would 
be done in DNSOP, since it affects how DNS records are interpreted, 
or in the defunct SMTP group's list, since it affects how mail 
servers interpret DNS information.
I specifically do NOT agree with the "MX 0 ." approach, and do not 
see any reason why this would be a better solution than simply not 
having MX records at all. True, during implementation of an MX 
requirement, some portion of sites might have difficulty receiving 
email until they add an MX record. But adding MX records is a 
well-known process, and the effort for those domains that haven't 
bothered with them in the past will not be onerous
Daniel the reason is simple - because defining a MX 0 shows a specific intent. Having no MX record at all shows sloppy domain management and that there was no properly formed domain profile in the master public lookup's, i.e. DNS. By the way NEA desparately needs the ability to find a MX service in its operations IMHO.
So the idea is that there really isnt a need to make the world a 
better place for sloppy domain admin's, but that there is a need to 
properly define the positive and negative status of any domain element 
"Proper" is in the eye of the beholder. I happen to think it's more "proper" for a NODATA response to an MX query to signal the absence of mail deliverability to a particular domain, which it unambiguously and with "specific intent" does if and when the A/AAAA failover is removed from the SMTP specification.
I'll note that the only subset of domain admins who would be negatively 
impacted by the removal of A/AAAA failover from SMTP, are those who are 
currently receiving mail by forcing clients to perform that failover. 
The polite and courteous thing is to provide MX records regardless, to 
save the mail clients one or more lookups. Is there a need to make the 
world a better place for impolite and/or discourteous domain admins?
I hereby register my support of removing A/AAAA failover from the SMTP 
specification (not that it carries much weight here on DNSOP, I 
realize), and my opposition to imbuing a certain MX target, namely, the 
root name, with a "special meaning" in this context, because a) these 
"special meaning" records use up resources that a NODATA response does 
not, and b) whenever the "special meaning" is -- as it is inexorably -- 
misinterpreted, or misunderstood, it results in more "junk" query 
traffic to the root nameservers.
-Kevin

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to