fixing insecure email infrastructure (was: Re: [eweek article]

Mark Andrews Mark_Andrews at isc.org
Mon Jan 24 22:41:08 UTC 2005


> On Fri, Jan 14, 2005 at 10:05:05AM +1100, Mark Andrews wrote:
> > >What is wrong with MTAMARK?
> > 	As currently described it doesn't fit well with RFC 2317
> > 	style delegations.  They would need to be converted to use
> > 	DNAME instead of CNAME which requires all the delegating
> > 	servers to be upgraded to support DNAME.
> 
> How many legit mailservers get their revDNS from RFC 2317 style
> delegations?

	Lots.  I'm sure that there are lots of ISPs/IAPs on NANOG
	that do RFC 2317 style delegations for their customers.
	Every one of them would need to upgrade their servers to
	support DNAME.  Their clients would also need to upgrade
	their servers to support DNAME as they should be stealth
	servers of the parent zone, to allow local lookups to work
	when the external link is down.

	If you hace a RFC 2317 style delegation then you are almost
	certainly doing your own mail support in addition to your own
	DNS support.

> Marking hosts "MTA=no" is an addon for an explicit block.
>
> I'd assume most ISPs cannot simply mark their revDNS with "MTA=no"
> without changing contracts, but even adding "MTA=yes" would be of
> a lot of help.
> 
> And it is really easy and doesn't have any negative side effects ;-)
> 
> 	\Maex
> 
> -- 
> SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
> Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
> "The security, stability and reliability of a computer system is reciprocally
>  proportional to the amount of vacuity between the ears of the admin"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the NANOG mailing list