[policy] When Tech Meets Policy...
Mark Andrews
Mark_Andrews at isc.org
Wed Aug 15 05:22:11 UTC 2007
> On Wed, 2007-08-15 at 11:58 +1000, Mark Andrews wrote:
>
> > > Accepting messages from a domain lacking MX records might be risky
> > > due to the high rate of domain turnovers. Within a few weeks,
> > > more than the number of existing domains will have been added and
> > > deleted by then. Spammers take advantage of this flux. SMTP
> > > server discovery via A records is permitted and should be
> > > deprecated.
> >
> > All it would require is a couple of large ISP's to adopt
> > such a policy. "MX 0 <self>" really is not hard and benefits
> > the remote caches.
>
> Agreed. While some suggest deprecating A record discovery requires
> adoption by a standards body, it really only requires a few ISPs to make
> their intentions public. A small minority of domains lacking an MX
> record are likely to comply quickly. At that point, adoption by a
> standards body becomes possible. It is rare to find a standards body
> willing impose additional requirements on email, but this is a case
> where such a requirement is clearly necessary.
>
> That point forward, spammers would be less able to take advantage
> of domains in flux, and policy schemes would be far less perilous for
> roots or second level domains.
>
> > > Once MX records are adopted as an _acceptance_
> > > requisite, domains not intended to receive or send email would be
> > > clearly denoted by the absence of MX records. SMTP policy
> > > published adjacent to MX records also eliminates a need for email
> > > policy "discovery" as well. Another looming problem.
> >
> > Better yet use MX records to signal that you don't want to
> > receive email e.g. "MX 0 .". It has a additional benefits
> > in that it is *much* smaller to cache than a negative
> > response. It's also smaller to cache than a A record.
> >
> > Since all valid email domains are required to have a working
> > postmaster you can safely drop any email from such domains.
>
> Use of root "." as a name for a target may create undesired non-cached
> traffic when applications unaware of this convention then attempt to
> resolve an address for servers named root.
All modern iterative resolvers are required to support
negative caching.
> The use of root as a convention will complicate a general strategy
> identifying adoption of a protocol by publication of a discovery
> record. The use of root as a target name in SRV records has been
> problematic, although this convention was defined for SRV records at the
> outset.
> Using an MX record to mean "no email is accepted" by naming the
> target 'root' changes the meaning of the MX record.
Not really. It's entirely consistant with existing DNS
usage where "." is a domain name / hostname place holder.
Lots of RR types use "." to indicate non-existance.
> It is also not clear
> whether the root target would mean "no email is sent" as well.
That is, I'll agree, more of a issue but no one can reasonably
expect people to accept non-repliable email.
> A clearer and safer strategy would be to insist that anyone who cares
> about their email delivery, publish a valid MX record. Especially when
> the domain is that of a government agency dealing with emergencies. At
> least FEMA now publishes an MX record. This requirement should have
> been imposed long ago. : )
I much prefer positive data vs the absence of data to make a
decision. "MX 0 ." is a definative response saying you don't
want email.
> -Doug
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the NANOG
mailing list