Re: Faux wildcards
Pekka Savola <pekkas@netcore.fi> Sun, 16 January 2005 06:08 UTC
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA23470 for <dnsext-archive@lists.ietf.org>; Sun, 16 Jan 2005 01:08:54 -0500 (EST)
Received: from majordom by psg.com with local (Exim 4.43 (FreeBSD)) id 1Cq3VK-000LSc-QJ for namedroppers-data@psg.com; Sun, 16 Jan 2005 06:03:14 +0000
Received: from [193.94.160.1] (helo=netcore.fi) by psg.com with esmtp (Exim 4.43 (FreeBSD)) id 1Cq3VJ-000LSG-2J for namedroppers@ops.ietf.org; Sun, 16 Jan 2005 06:03:13 +0000
Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id j0G633n28907; Sun, 16 Jan 2005 08:03:03 +0200
Date: Sun, 16 Jan 2005 08:03:03 +0200
From: Pekka Savola <pekkas@netcore.fi>
To: John R Levine <johnl@iecc.com>
cc: DNS whizzes <namedroppers@ops.ietf.org>
Subject: Re: Faux wildcards
In-Reply-To: <Pine.BSI.4.56.0501150110120.6851@tom.iecc.com>
Message-ID: <Pine.LNX.4.61.0501160749360.28480@netcore.fi>
References: <Pine.BSI.4.56.0501150110120.6851@tom.iecc.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on psg.com
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.1
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
On Sun, 15 Jan 2005, John R Levine wrote: > I've been working on CSV, a simple scheme for HELO/EHLO authentication > with Dave Crocker and some other people. By far the knottiest question > we've been wresting with is if and how to do wildcard-like things. > > For CSV we're using repurposed SRV records. They have the fields we need, > they're widely supported by DNS software, including software written in > the Seattle suburbs, and the name prefixes that all SRV records have avoid > collisions. [...] If you want to do wildcard-like thing, maybe wildcards is the answer, but not necessarily in the place you were thinking of using them.. I don't think this answers your actual question, but people have deployed a mechanism where information is stored in the reverse DNS; you'd create explicit records for the valid IP addresses of mail servers, and use wildcards to cover the rest with "don't accept mail from here" records. And if the record for mail servers was actually specified to be a pointer to the forward DNS, that could also provide a means to give information what the EHLO string should be, e.g., *.3.4.in-addr.arpa. MAIL-EHLO [some encoding to say "nope."] 1.2.3.4.in-addr.arpa. MAIL-EHLO good.example.com. then if you wanted to "verify" (though I'm not sure what this would actually verify..), you could do a second lookup for: _client._smtp.good.example.com. which would have to point at 4.3.2.1 This avoids having to walk down or up the tree. Take a look at: draft-durand-naptr-service-discovery-00.txt I don't quite understand why you'd want to look up EHLO string, instead of getting the information from the IP address; an attacker can make EHLO arbitrary and make all kinds of attacks, but IP address has a fixed format is hopefully (in this kind of TCP session) difficult to spoof. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Faux wildcards John R Levine
- Re: RIR comment, was Re: Faux wildcards Pekka Savola
- RIR comment, was Re: Faux wildcards Edward Lewis
- Re: Faux wildcards wayne
- Re: Faux wildcards wayne
- Re: Faux wildcards Pekka Savola
- Re: RIR comment, was Re: Faux wildcards Robert Elz
- Re: Faux wildcards Olaf M. Kolkman
- Re: Faux wildcards John R Levine
- Re: Faux wildcards wayne