IETF Logo Mail Archive

Re: [DNSOP] Last Call: <draft-ietf-appsawg-nullmx-05.txt> (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

Mark Andrews <marka@isc.org> Sat, 19 July 2014 00:40 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 881E41A02EE; Fri, 18 Jul 2014 17:40:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sYWL5yD54i8I; Fri, 18 Jul 2014 17:40:15 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C03391A019B; Fri, 18 Jul 2014 17:40:15 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 978971FCB16; Sat, 19 Jul 2014 00:40:11 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 5AC96160064; Sat, 19 Jul 2014 00:49:06 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id F4091160052; Sat, 19 Jul 2014 00:49:05 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id D59EE1A8457C; Sat, 19 Jul 2014 10:40:09 +1000 (EST)
To: Tony Finch <dot@dotat.at>
From: Mark Andrews <marka@isc.org>
References: <20140703190347.24899.45193.idtracker@ietfa.amsl.com> <7140A115A74391DED82A2028@JcK-HP8200.jck.com> <53C8394A.6080508@dcrocker.net> <20140717233517.42A2F1A71CFD@rock.dv.isc.org> <93F32648FD67AE6ABAC47300@JcK-HP8200.jck.com> <alpine.LSU.2.00.1407181417200.10413@hermes-1.csi.cam.ac.uk> <53C92542.90303@redbarn.org> <alpine.LSU.2.00.1407181500530.13901@hermes-1.csi.cam.ac.uk> <587B02E3-3E3D-4612-8E0D-37C14F8A0A50@ogud.com> <3F6D81F469FB45B1D6B2C327@JcK-HP8200.jck.com> <alpine.LSU.2.00.1407182019070.28941@hermes-1.csi.cam.ac.uk>
In-reply-to: Your message of "Fri, 18 Jul 2014 20:39:06 +0100." <alpine.LSU.2.00.1407182019070.28941@hermes-1.csi.cam.ac.uk>
Date: Sat, 19 Jul 2014 10:40:09 +1000
Message-Id: <20140719004009.D59EE1A8457C@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/YoZYPTLHEW9YTqSqj5SDdUQPJqY
Cc: John C Klensin <john-ietf@jck.com>, Paul Vixie <paul@redbarn.org>, dnsop@ietf.org, John Levine <johnl@taugh.com>, iesg@ietf.org
Subject: Re: [DNSOP] Last Call: <draft-ietf-appsawg-nullmx-05.txt> (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jul 2014 00:40:17 -0000

In message <alpine.LSU.2.00.1407182019070.28941@hermes-1.csi.cam.ac.uk>, Tony F
inch writes:
> 
> John C Klensin <john-ietf@jck.com> wrote:
> >
> > If a particular SMTP implementation is aware of and follows the spec,
> > almost any consensus indicator that doesn't conflict with other things
> > should be fine --
> 
> There are actually more constraints than you imply in your message.
> 
> > "."
> 
> Has the advantage of being implemented and deployed. Has the disadvantage
> of directing useless queries to the root name servers from MTAs that do
> not understand null MX records.
> 
> > "*******"
> 
> MX target names should obey the LDH host name rules. You won't be able to
> enter this target into many DNS admin tools since they enforce LDH syntax.
> Some nameservers (e.g. BIND) will by default refuse to load a zone with
> a non-hostname MX target.
> 
> This loses the advantages of a "." target and fails to keep useless
> queries away from the root name servers.

"." is a place holder exception.  Below is a minimal zone with a MX with all
the domains set to ".".  Named will load "MX 0 ." fine.  "." prevents lots
of the internal checks at load time from triggering.

% named-checkzone zone zone
zone:1: no TTL specified; using SOA MINTTL instead
zone zone/IN: loaded serial 0
OK
% cat zone
@ SOA . . 0 0 0 0 0
@ NS .
@ MX 0 .
% 

"MX 0 ." is also consistent with "SRV 0 0 0 ." which is documented.

"no-mail.invalid" however will elicit a warning / failure depending
upon what the error level is set to.  Named-checkzone looks up every
MX target and check for A or AAAA records with the exception of
".".  It also checks that they are syntactically valid hostnames.
It also tries to determine if a IPv4 address has been used instead
of a hostname by mistake.

% named-checkzone zone zone
zone:1: no TTL specified; using SOA MINTTL instead
zone zone/IN: zone/MX 'no-mail.invalid' (out of zone) has no addresses records (A or AAAA)
zone zone/IN: loaded serial 0
OK
% cat zone
@ SOA . . 0 0 0 0 0
@ NS .
@ MX 0 no-mail.invalid.
% 

"." is a really good exception marker.  It is also the minimal
exception marker we can have.

> > a special name in example.com or example.net,
> 
> These domains are reserved for use in examples, not for production
> purposes. Are their name servers scaled up enough to handle stray
> queries from MTAs that don't understand null MX records?
> 
> This question applies to any non-"." target. The reason I suggested using
> AS112 was because it is designed for sinking unwanted queries that should
> not have leaked out in the first place. But I still prefer to stick with
> ".".
> 
> > Since SMTP prohibits non-ASCII domain names, one might even consider
> > something Like "=D1=84=D0=B8=D0=BA=D1=82=D0=B8=D0=B2=D0=BD=D1=8B=D0=B9.ex=
> ample.com" or "=E8=99=9A=E5=81=87.example.com" (literally,
> > not as IDNA A-labels) which would cause many SMTP servers to do
> > something nasty that does not involve the DNS.
> 
> You are muddling up the IDNA layers here. The MX target comes from the DNS
> so if you try to put an IDNA name there it has to be encoded as an A-label
> before you put it in the DNS. If you try hard you can put un-encoded UTF-8
> in the DNS, but then it would violate the hostname rules in a similar way
> to "*******".
> 
> It is likely that there are MTAs which do not check that MX targets
> actually obey hostname syntax, so this kind of hack is not going to
> reliably suppress lookups.
> 
> > They will certainly do lookups; how far they will get and whether they
> > will requeue and try again depends somewhat on the string chosen
> 
> I think it depends more on the MTA's and/or postmaster's attitude to DNS
> misconfiguration. Some are quicker to permfail than others.
> 
> Tony.
> --=20
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> Irish Sea: South or southeast 4 or 5, becoming variable 3 or 4. Moderate
> becoming slight. Rain or thundery showers, fog patches. Moderate or good,
> occasionally very poor.
> --1870869256-999632820-1405712346=:28941
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> 
> --1870869256-999632820-1405712346=:28941--
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email