Todd Glassey wrote:
Daniel Senie wrote:
On Apr 14, 2009, at 2:54 AM, Douglas Otis wrote:
On Apr 13, 2009, at 7:01 PM, Mark Andrews wrote:
If a application is doing the wrong thing w.r.t. SRV records then
fix the application. The root servers can handle a A and AAAA
queries for ".". Most cache's will correctly
negatively cache such responses.
As for "MX 0 ." the sooner this gets defined as no SMTP service for
this domain the better. The cost for changing this is only every
going to increase.
It may take years before a significant portion of SMTP servers
recognize root domains as meaning no service. An alternative would
be to require MX records to assert SMTP service. A positive
assertion will not impose additional burdens on root servers, but
will necessitate explicit DNS provisions to exchange SMTP messages.
With 19 out of 20 messages being abusive and largely from
compromised systems, requiring a domain to assert their intent to
exchange public SMTP messages will encourage adoption without
burdening root servers with strategies sure to generate extraneous
traffic beyond their control.
SRV records have demonstrated the inability of roots to ensure
applications mitigate extraneous traffic. Expanding upon this
failure seems sure to result in a growing number of wildcard MX
records targeting roots. Negative caching of randomly spoofed
domains might not be an effective control. It seems unwise to
encourage a greater use of wildcard records that target roots.
I agree with Doug. The most reasonable course of action would be an
IETF document, perhaps a BCP, that indicates SMTP transports should
ONLY do MX lookups to find the mail server for a domain, and not fall
back on A records. I'd endorse this, and would work on such a
document if there were interest. The big question is whether it would
be done in DNSOP, since it affects how DNS records are interpreted,
or in the defunct SMTP group's list, since it affects how mail
servers interpret DNS information.
I specifically do NOT agree with the "MX 0 ." approach, and do not
see any reason why this would be a better solution than simply not
having MX records at all. True, during implementation of an MX
requirement, some portion of sites might have difficulty receiving
email until they add an MX record. But adding MX records is a
well-known process, and the effort for those domains that haven't
bothered with them in the past will not be onerous
Daniel the reason is simple - because defining a MX 0 shows a specific
intent. Having no MX record at all shows sloppy domain management and
that there was no properly formed domain profile in the master public
lookup's, i.e. DNS. By the way NEA desparately needs the ability to
find a MX service in its operations IMHO.
So the idea is that there really isnt a need to make the world a
better place for sloppy domain admin's, but that there is a need to
properly define the positive and negative status of any domain element
"Proper" is in the eye of the beholder. I happen to think it's more
"proper" for a NODATA response to an MX query to signal the absence of
mail deliverability to a particular domain, which it unambiguously and
with "specific intent" does if and when the A/AAAA failover is removed
from the SMTP specification.
I'll note that the only subset of domain admins who would be negatively
impacted by the removal of A/AAAA failover from SMTP, are those who are
currently receiving mail by forcing clients to perform that failover.
The polite and courteous thing is to provide MX records regardless, to
save the mail clients one or more lookups. Is there a need to make the
world a better place for impolite and/or discourteous domain admins?
I hereby register my support of removing A/AAAA failover from the SMTP
specification (not that it carries much weight here on DNSOP, I
realize), and my opposition to imbuing a certain MX target, namely, the
root name, with a "special meaning" in this context, because a) these
"special meaning" records use up resources that a NODATA response does
not, and b) whenever the "special meaning" is -- as it is inexorably --
misinterpreted, or misunderstood, it results in more "junk" query
traffic to the root nameservers.
-Kevin
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop