Discovering policy

>
>>>
>>> Since all valid email domains are required to have a working
>>> postmaster you can safely drop any email from such domains.
>>
>> Use of root "." as a name for a target may create undesired non-
>> cached traffic when applications unaware of this convention then
>> attempt to resolve an address for servers named root.
>
> All modern iterative resolvers are required to support negative
> caching.

Indeed, RFC 2308 changed negative caching support from optional for
any caching resolver. Those that have negative caching may
significantly truncate the duration. There are several websites
recommending negative caching be disabled to permit faster recovery
from intermittent negative answers. In other words, a negative
answer is less likely to have been cached. Use of root target names
will impact roots in cases where:

- an assumption of negative caching is wrong,
- for MX records where the root name convention is not in place.

With email, transaction rates are high and highly distributed which
tends to diminish negative caching protections.

>> The use of root as a convention will complicate a general strategy
>> identifying adoption of a protocol by publication of a discovery
>> record. The use of root as a target name in SRV records has been
>> problematic, although this convention was defined for SRV records
>> at the outset.
>
>> Using an MX record to mean "no email is accepted" by naming the
>> target 'root' changes the meaning of the MX record.
>
> Not really. It's entirely consistant with existing DNS usage
> where "." is a domain name / hostname place holder.
>
> Lots of RR types use "." to indicate non-existance.

Yes, and this convention still generates nuisance root traffic
whenever the application fails to comprehend "." is a special
target. This is true even when _defined_ as a special target for the
specific resource record, as with SRV. In the case of an MX record,
there is _no_ such definition.

  So we write a RFC. That I though was implicit.

  If you have applications which don't honour SRV's "."
  processing rules report the bug.

>> It is also not clear whether the root target would mean "no email
>> is sent" as well.
>
> That is, I'll agree, more of a issue but no one can reasonably
> expect people to accept non-repliable email.

That would have been made clear by simply requiring MX records for
acceptance!

>> A clearer and safer strategy would be to insist that anyone who
>> cares about their email delivery, publish a valid MX record.
>> Especially when the domain is that of a government agency dealing
>> with emergencies. At least FEMA now publishes an MX record. This
>> requirement should have been imposed long ago. : )
>
> I much prefer positive data vs the absence of data to make a
> decision. "MX 0 ." is a definitive response saying you don't want
> email.

Not having an SMTP server and no MX record provides a clear
indication of a policy "I don't want email."

  Which requires a SMTP server to attempt the TCP connection.
  It also requires the SMTP server to re-try until it times
  out the messages which could be days.

  SPF is optional. MX processing is NOT optional.

  Most SMTP client will fail immediately if they get a
  positive indication that there are no address records
  for the MX. Fixing them not to ask the question is
  a optimisation.

Policy will often
require a greater amount of information.

  This is a simple binary decision. I want email for this
  domain or not.

To discovery policy must
the entire domain be queried?

  You have the name. It has a address. You don't want email to
  be sent there. You add a single MX record next to the address.
  No seaching. Just direct query.

A wildcard MX record and root name
convention exposes a domain to an SPF script attack, where a
different convention is expected for no email.

  No the presence of the record with "." as the MX target
  would stop all further processing. You don't go to
  SPF processing as the source address is non repliable.

Yes, and this convention still generates nuisance root traffic whenever the application fails to comprehend "." is a special target. This is true even when _defined_ as a special target for the specific resource record, as with SRV. In the case of an MX record, there is _no_ such definition.

So we write a RFC. That I though was implicit.

Do not depend upon applications not to resolve addresses for root names, even when a convention is explicit. Depending upon root answers to support a protocol feature unrelated to DNS is normally considered a design mistake isn't it?

If you have applications which don't honour SRV's "." processing rules report the bug.

Even Paul Vixie, the author, will likely agree the RFC has the "bug".

Not having an SMTP server and no MX record provides a clear indication of a policy "I don't want email."

Which requires a SMTP server to attempt the TCP connection. It also requires the SMTP server to re-try until it times out the messages which could be days.

Who would be motivated in making the change? Trying every address record is unsuitable for today's email environment. Its time for a change.

SPF is optional. MX processing is NOT optional.

MX records should not optional, but they are.

Most SMTP client will fail immediately if they get a positive indication that there are no address records for the MX. Fixing them not to ask the question is a optimisation.

Publishing wildcard MX root records everywhere represents a poor and possibly hazardous solution.

Policy will often require a greater amount of information.

This is a simple binary decision. I want email for this domain or not.

A policy may need to express whether the domain signs some or all of their outbound messages. Not very binary is it?

To discovery policy must the entire domain be queried?

You have the name. It has a address. You don't want email to be sent there. You add a single MX record next to the address. No seaching. Just direct query.

Policy is not normally published for inbound traffic. SMTP extensions negotiate inbound policy requirements. However, policy could be essential for outbound traffic. A domain name might be the subject of phishing attacks. How policy is applied must ensure even sub-domains are covered.

A safe strategy for applying an outbound message policy is to:

- check whether there is a discovery (MX) record

- no discovery record, refuse the message

- check whether a policy record is adjacent to the discovery record

- no policy record, there is no policy

A wildcard MX record and root name convention exposes a domain to an SPF script attack, where a different convention is expected for no email.

No the presence of the record with "." as the MX target would stop all further processing.

The SPF script processing is looking for address matches, which may or may not include those within the MX record. SPF libraries might not quit after hundreds of no answers. This behavior is just one of the reasons these libraries are hazardous. Remember an outbound path may not be the same as the inbound.

You don't go to SPF processing as the source address is non repliable.

When the originating domain fails to offer a discovery record? Section 5.1 of the updated version of 2821 allows A or AAAA when there is no MX. This allowance must become obsolete and the process ends when there is no MX record. This means one does not have to wait for unmotivated domain owners to adopt the MX root strategy. Instead, those wishing to have their email accepted have a powerful motivation to publishing a valid MX record. At that point, much sooner than for your scheme, no MX will then mean no acceptance or will indicate where policy can be found.

Your scheme now means that:
  - both the MX root records must be wildcards published at every existing node
  - policy records must also be wildcards published at every existing node
  - or the recipient must walk up the domain

Your scheme will not scale, especially when replicated by other protocols. This approach risks root and second level domains. However, policy at the discovery record can scale and is much safer.

-Doug

i wasn't reading this thread at all since i thought it was about discovering
policy, like the subject says. horror of horrors, it's about dns internals,
which means the thread is not only mislabelled, but also off-topic. i think
it could go to dnsop@ietf.org, namedroppers@ops.ietf.org, or perhaps even
dns-operations@lists.oarci.net. but it's a long way from being something
related to routers, and i think it should stop here.

dotis@mail-abuse.org (Douglas Otis) writes:

Section 5.1 of the updated version of 2821 allows A or AAAA
when there is no MX. This allowance must become obsolete and
the process ends when there is no MX record.

This idea is fundamentally flawed.

There is an assumption in the Internet that email is a universal
service. In otherwords, everyone can potentially be contacted via an RFC
822 et al. email address. Part of this fundamental assumption would
require every Internet connected domain to have some means of email
contact for various default addresses such as abuse@example.com. This
does not mean that domain owner must run an email server. They may rely
on someone else for email service and divert email with an MX record.
But if a domain exists to service a single point on the Internet, i.e. a
single server, then even if we say that domain owners MUST publish an MX
record, we should still be liberal in what we accept, and search for an
A or AAAA record to see if this device will possibly accept email for
the domain.

Note that there are other possible ways to change the email architecture
to accomplish what an MX record does today, but these things need to be
done from an architectural point of view, considering the entire email
architecture, not just point changes in one narrow area. It may be that
we can build a better email architecture if we remove the universal
email assumption. Or maybe we could remove anonymous email relaying to
any arbitrary port 25 with a system of email peering (like BGP or USENET
peering) based on prearranged agreements. In that case we may assume
that email to a domain can be delivered by looking at the last hop IP
address, checking the PTR and then doing an RR lookup for the
destination domain name. Or some sort of redirection protocol such as
HTTP so that every domain must have an A or AAAA record and that device
must accept connections and identify the correct email relay agent for
incoming messages to the domain.

The key to this is not to propose or make point changes in one narrow
area, but to open up the entire architecture, look at what works,
identify the areas that need to be fixed, agree on goals and then fix
all the weaks spots at once. Personally, I am tired of seeing solutions
to the SPAM problem. I don't agree that there is a SPAM problem with
email. Instead, we have an inconsistent email architecture that was
never designed as an integrated entity and this architecture does not
have an end-to-end chain of accountability built out of bilateral trust
arrangements. If we did have such a chain, then the ISP at the end of
the chain could escalate problems up the chain until they either resolve
it or discover a breakdown in trust. At that point, blocking email
becomes easier because all relays in the chain of accountability up to
the trust breakdown can be identified and mail can be blocked, returned
to sender, or whatever. There will be several orders of magnitude less
trusted links than there are email senders, i.e. there may be 2 billion
email senders but only 20,000 trusted mail relays worldwide.

This makes problem resolution far more scalable than in todays world
where any of those 2 billion email senders are allowed to send email to
any arbitrary email server. Flat architectures do not scale, hierarchy
does. The existing email architecture is largely flat. It needs to be
made hierarchical and therefore scalable.

I hestitate to get into any in-depth discussion on any particular
technical proposal because I believe all of them are fatally flawed as
long as we have no overall agreed email architecture. Today different
groups have different understandings of what the email architecture is.
People who like SPF don't see the same architecture as people who like
DKIM or people who like Bayesian filtering or people who like blacklists
or people who like whitelists or people who use Yahoo or Gmail. In this
schizoid environment all we do is force the criminal classes to get
smarter than us, and to increase their exploitation of us. In order to
bring order back into Internet email, we need to come together and agree
on what we want from email, what is a scalable Internet email
architecture, and only then, what needs to be changed to make it so.

--Michael Dillon