Re: Faux wildcards
Pekka Savola <pekkas@netcore.fi> Sun, 16 January 2005 06:03 UTC
From: Pekka Savola <pekkas@netcore.fi>
Subject: Re: Faux wildcards
Date: Sun, 16 Jan 2005 08:03:03 +0200
Lines: 51
References: <Pine.BSI.4.56.0501150110120.6851@tom.iecc.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: DNS whizzes <namedroppers@ops.ietf.org>
X-From: owner-namedroppers@ops.ietf.org Sun Jan 16 07:16:23 2005
Return-path: <owner-namedroppers@ops.ietf.org>
To: John R Levine <johnl@iecc.com>
In-Reply-To: <Pine.BSI.4.56.0501150110120.6851@tom.iecc.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Message-ID:
Message-ID: <20140418071953.2560.52678.ARCHIVE@ietfa.amsl.com>
On Sun, 15 Jan 2005, John R Levine wrote: > I've been working on CSV, a simple scheme for HELO/EHLO authentication > with Dave Crocker and some other people. By far the knottiest question > we've been wresting with is if and how to do wildcard-like things. > > For CSV we're using repurposed SRV records. They have the fields we need, > they're widely supported by DNS software, including software written in > the Seattle suburbs, and the name prefixes that all SRV records have avoid > collisions. [...] If you want to do wildcard-like thing, maybe wildcards is the answer, but not necessarily in the place you were thinking of using them.. I don't think this answers your actual question, but people have deployed a mechanism where information is stored in the reverse DNS; you'd create explicit records for the valid IP addresses of mail servers, and use wildcards to cover the rest with "don't accept mail from here" records. And if the record for mail servers was actually specified to be a pointer to the forward DNS, that could also provide a means to give information what the EHLO string should be, e.g., *.3.4.in-addr.arpa. MAIL-EHLO [some encoding to say "nope."] 1.2.3.4.in-addr.arpa. MAIL-EHLO good.example.com. then if you wanted to "verify" (though I'm not sure what this would actually verify..), you could do a second lookup for: _client._smtp.good.example.com. which would have to point at 4.3.2.1 This avoids having to walk down or up the tree. Take a look at: draft-durand-naptr-service-discovery-00.txt I don't quite understand why you'd want to look up EHLO string, instead of getting the information from the IP address; an attacker can make EHLO arbitrary and make all kinds of attacks, but IP address has a fixed format is hopefully (in this kind of TCP session) difficult to spoof. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: Faux wildcards wayne
- RE: Faux wildcards Hallam-Baker, Phillip
- RE: Faux wildcards Hallam-Baker, Phillip
- Faux wildcards John R Levine
- Re: Faux wildcards Peter Koch
- Re: Faux wildcards John Levine
- Re: Faux wildcards Pekka Savola
- Re: Faux wildcards John R Levine
- RE: Faux wildcards Hallam-Baker, Phillip
- RE: Faux wildcards Hallam-Baker, Phillip
- Re: Faux wildcards wayne
- Re: Faux wildcards wayne
- Re: Faux wildcards Danny Mayer
- Re: Faux wildcards Danny Mayer
- Re: Faux wildcards John Levine
- Re: wildcards vs. RR types, was Faux wildcards John Levine
- Re: Faux wildcards wayne
- Re: Faux wildcards Paul Vixie
- Re: Faux wildcards Robert Elz
- Re: Faux wildcards Olaf M. Kolkman
- Re: Faux wildcards wayne
- RIR comment, was Re: Faux wildcards Edward Lewis
- Re: Faux wildcards Peter Koch
- Re: RIR comment, was Re: Faux wildcards Robert Elz
- Re: RIR comment, was Re: Faux wildcards Pekka Savola
- Re: wildcards vs. RR types, was Faux wildcards Paul Vixie
- Re: Faux wildcards Danny Mayer
- Re: wildcards vs. RR types, was Faux wildcards Paul Vixie
- Re: wildcards vs. RR types, was Faux wildcards Paul Vixie