Re: [DNSOP] [apps-discuss] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Tony Finch]

Nico Williams n...@cryptonector.com wrote:

 I think what you're objecting to is the section 4.3 and related text
 that conflates does not accept e-mail with does not send e-mail.

Section 4.3 describes what is already done by existing implementations of
this spec.

Exim in its default configuration validates the domain part of email
addresses and will reject mail if the sending domain does not exist or if
its MX records point to nonexistent hosts. Exim also recognizes null MX
records and suppresses the target A and  lookups and treats the domain
as invalid. However the null MX logic is just an optimization: Exim's
validation logic would get the same result if it tried to do the A and
 lookups and found that . does not have any addresses.

Postfix does the same if you use the reject_unknown_sender_domain option.

There are good reasons for rejecting mail from invalid domains, e.g.
because you would not be able to send a delivery failure report.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Biscay: Variable 3 or 4. Slight or moderate. Thundery showers later. Good,
occasionally poor later.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[John C Klensin]

Hi.

I have a few questions that I don't want to clutter the IETF
list about but about which I would hope DNS experts, especially
DNS root operations experts, would step in if they have
opinions.  IESG copied only for the record.   I want to stress
that these are questions: I may know enough to ask them but
can't even competently speculate on the answers.

The new specification proposes what is, in essence, a
convention.  If an SMTP-Sender (to use the original and very
precise terminology), while doing the required lookup for an MX
RR, encounters 

IN MX 0 .

it is expected to abort the message-sending process -- no
further lookups, not connection attempts, no queuing.  

At least in the near term, some SMTP Server (MTA)
implementations will conform to that rule (many already use it)
and some won't.   For the latter, they will presumably do what
the SMTP specs say to do.  In summary, that is to look up the
address(es) associated with the root and try to open a mail
connection to one of them.  When that connection fails
(presumably times out), the SMTP server may decide to try more
(or all) of the other addresses.  When all of those it chooses
to try fail, it is then required to queue the message, retrying
the process (potentially to all 13 root servers) at regular
intervals for an extended period of time.

It is impossible for me to estimate the actual likely volume of
such connection attempts.  I suggest that any such estimate
would be no better than a wild guess.  It is clear that the
requirement for retries and the number of root servers (i.e.,
that there is more than one address record) provides a
multiplier effect on the number of MTAs and misdirected messages
that do not follow the convention.

Given that the DNS configurations for some domains are using
this convention now, it should be possible to measure
present-day SMTP connection attempts to the root servers.  I
don't know if anyone has those data.  Because such attempts
could originate from multiple causes, it might also be hard to
interpret if it existed... beyond my experience.

So, three (obviously-related) questions:

(1) I understand that there have been concerns from time to time
about the load caused by spurious queries to the root servers.
These would not be spurious DNS queries (I assume primarily UDP)
but spurious TCP connections to a port that I assume no
contemporary root server uses to accept mail.  Is that potential
change in load an issue that anyone should be concerned about?

(2) Would you recommend that the root servers take any special
action to mitigate the potential problem?  Such action might
involve a port 25 responder that immediately closes connections
(at least reducing timeout waits), or a fake SMTP server that
would allow a connection to be opened, then immediately send a
5yz response to the SMTP sender.  If the SMTP specs are followed
by the sender, the latter would prevent attempts on other root
server address and the queuing behavior.  Either obviously
involves some additional resources.  

(3) Independent of the answer to the question above, does the
possibility of DNS operational impact as the result of this
convention merit comments in the I-D that are not now present
and, if so, what should be said?

Recommendation: if the participants in DNSOP consider either of
the above questions (and they are only questions) to be
significant, it may be worthwhile to ask the IESG to postpone a
decision on this document until this WG has an opportunity to
comment.

The above is obviously independent of the concerns about
terminology that I raised in my Last Call response.  As some of
you know, sloppy and ambiguous terminology in discussions of the
DNS has become a pet peeve of mine.  If no one else cares, or
cases enough to put effort into the problem -- even to prevent
new ambiguous usage from entering the vocabulary via IETF
standards track documents -- then I will go back to whining into
my beer and stop trying to waste other's time on the issues.

best,
 john

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Mark Andrews]

In message 93f32648fd67ae6abac47...@jck-hp8200.jck.com, John C Klensin writes
:
 Hi.
 
 I have a few questions that I don't want to clutter the IETF
 list about but about which I would hope DNS experts, especially
 DNS root operations experts, would step in if they have
 opinions.  IESG copied only for the record.   I want to stress
 that these are questions: I may know enough to ask them but
 can't even competently speculate on the answers.
 
 The new specification proposes what is, in essence, a
 convention.  If an SMTP-Sender (to use the original and very
 precise terminology), while doing the required lookup for an MX
 RR, encounters 
 
 IN MX 0 .
 
 it is expected to abort the message-sending process -- no
 further lookups, not connection attempts, no queuing.  
 
 At least in the near term, some SMTP Server (MTA)
 implementations will conform to that rule (many already use it)
 and some won't.   For the latter, they will presumably do what
 the SMTP specs say to do.  In summary, that is to look up the
 address(es) associated with the root and try to open a mail

No.  Lookup the address _at_ _the_ _root_.  This is _not_ the
addresses of the root servers.

 connection to one of them.  When that connection fails
 (presumably times out), the SMTP server may decide to try more
 (or all) of the other addresses.  When all of those it chooses
 to try fail, it is then required to queue the message, retrying
 the process (potentially to all 13 root servers) at regular
 intervals for an extended period of time.

What connection?  There are no addresses records at . so the MTA
returns a NDN.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Tony Finch]

John C Klensin john-i...@jck.com wrote:

 IN MX 0 .

 At least in the near term, some SMTP Server (MTA)
 implementations will conform to that rule (many already use it)
 and some won't.   For the latter, they will presumably do what
 the SMTP specs say to do.  In summary, that is to look up the
 address(es) associated with the root and try to open a mail
 connection to one of them.

There are no addresses associated with the root, so the mail server will
immediately report a delivery error. RFC 5321 section 5.1 paragraph 2
final sentence.

The SMTP server will not try to connect to the root name servers, as your
message suggested.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Biscay: Variable 3 or 4, becoming northwesterly 5 or 6 for a time in east.
Slight or moderate. Rain or thundery showers. Good, occasionally poor.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Paul Vixie]

Tony Finch wrote:
 John C Klensin john-i...@jck.com wrote:
 IN MX 0 .

 At least in the near term, some SMTP Server (MTA)
 implementations will conform to that rule (many already use it)
 and some won't.   For the latter, they will presumably do what
 the SMTP specs say to do.  In summary, that is to look up the
 address(es) associated with the root and try to open a mail
 connection to one of them.

 There are no addresses associated with the root, so the mail server will
 immediately report a delivery error. RFC 5321 section 5.1 paragraph 2
 final sentence.

 The SMTP server will not try to connect to the root name servers, as your
 message suggested.

true as stated.

what's unstated here is that every SMTP sender who encounters such an MX
without understanding its new meaning will do two or three lookups: .
MX, [. ,] and . A. if they are behind an RDNS that doesn't do
negative caching (and there are many, though none of them are open
source; the open source RDNS servers do negative caching right) then
these two or three queries will flow through to the authority servers
for . which is to say the root name servers.

the long tail on old interpretation is between one and three decades.
(which is also why repurposing/redefining things like TCP/53 is
unworkable, as discussed separately.)

if IETF had rules, one of them should be, don't redefine things that are
in an existing datapath -- make a new datapath.

vixie
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[John C Klensin]

--On Friday, July 18, 2014 23:18 +1000 Mark Andrews
ma...@isc.org wrote:

 At least in the near term, some SMTP Server (MTA)
 implementations will conform to that rule (many already use
 it) and some won't.   For the latter, they will presumably do
 what the SMTP specs say to do.  In summary, that is to look
 up the address(es) associated with the root and try to open a
 mail
 
 No.  Lookup the address _at_ _the_ _root_.  This is _not_ the
 addresses of the root servers.

I tried to make clear that I'm ignorant of many of the details
here, so, if there is no issue, I apologize for wasting people's
time. 

If the answer to those questions is not an issue, that is the
answer and the end of the discussion.

However, because I'm paranoid, let me mention an issue in
passing without any reason to believe that it is a problem in
practice.

For SMTP (and at least some other applications) there has always
been a question about what to do with DNS queries in mixed IPv4
and IPv6 environments when the application wants to get both
sets of addresses.  I vaguely remember an idea about a query
type of ADDEESS (or equivalent) that would return both A and
 RRs but, as far as I know, it didn't go anywhere.  If there
are best practices recommendations for applications writers in
this area, I don't think they have been widely disseminated in
the applications development community.  The poor bewildered
application author then has two choices, both of which appear to
be rational.  One is to issue two queries, one for A RRs and one
for , and then sort things out in the application.   The
other is to issue an ANY query and sort the relevant information
out from it.   I at least superficially understand the problems
with the latter and you obviously understand them much better.
But, should an application writer make that choice (and, again,
clear advice has not been broadly disseminated), a query for the
root does get back address records.

It is probably sensible to conclude that the number of
implementations that are that stupid doesn't make the issue
worth worrying about but that should be your conclusion, not
mine, because I am obviously out of my depth here.

john






___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[John C Klensin]

--On Friday, July 18, 2014 06:46 -0700 Paul Vixie
p...@redbarn.org wrote:

...
 There are no addresses associated with the root, so the mail
 server will immediately report a delivery error. RFC 5321
 section 5.1 paragraph 2 final sentence.
 
 The SMTP server will not try to connect to the root name
 servers, as your message suggested.
 
 true as stated.
 
 what's unstated here is that every SMTP sender who encounters
 such an MX without understanding its new meaning will do two
 or three lookups: . MX, [. ,] and . A. if they are
 behind an RDNS that doesn't do negative caching (and there are
 many, though none of them are open source; the open source
 RDNS servers do negative caching right) then these two or
 three queries will flow through to the authority servers for
 . which is to say the root name servers.

Paul,

Thanks.  I obviously got the question wrong but, if it
accidentally called attention to an issue that deserves even
minimal consideration, I don't mind looking and feeling stupid.
I obviously knew about the multiple queries but, by thinking
about this from an SMTP context, was more concerned about the
connection and queuing part of the problem.  

FWIW, many SMTP servers will deal with a negative answer from a
DNS query by queuing the message (for the historical reason that
a DNS change might not yet have caught up with the server
queried).  While the port 25 issue that I incorrectly focused on
will not arise, the two or three queries you mention might,
depending on the behavior of the resolver on which that SMTP
server calls, be repeated at each queue retry interval.

Again, I'm not competent to evaluate whether that is an issue or
not.


 thanks again,
john

p.s. Just one or two lookups against the root.  The sequence
would be an MX lookup for the putative mail delivery domain
(which should not affect the root servers), then . A and,
optionally, . , in either order.  While some
implementations have historically done it, SMTP (at least as of
RFC 5321) forbids doing an MX lookup on the information obtained
from the DATA of a prior MX query. 

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Tony Finch]

Paul Vixie p...@redbarn.org wrote:

 what's unstated here is that every SMTP sender who encounters such an MX
 without understanding its new meaning will do two or three lookups: .
 MX,

No, MTAs do not look up MX records for MX targets.

 [. ,] and . A.

But they might do these lookups, yes.

If this is a worry for the root server operators (but I thought they had
said in the past that it doesn't pose a problem) then the draft could
specify a canonical address-less domain lower down the hierarchy, e.g.
empty.as112.arpa (making use of the AS112 DNAME proposal).

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Plymouth: South 4 or 5, becoming variable 3 or 4. Slight or moderate. Rain or
thundery showers. Good, occasionally poor.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Olafur Gudmundsson]

On Jul 18, 2014, at 10:18 AM, Tony Finch d...@dotat.at wrote:

 Paul Vixie p...@redbarn.org wrote:
 
 what's unstated here is that every SMTP sender who encounters such an MX
 without understanding its new meaning will do two or three lookups: .
 MX,
 
 No, MTAs do not look up MX records for MX targets.
 
 [. ,] and . A.
 
 But they might do these lookups, yes.
 
 If this is a worry for the root server operators (but I thought they had
 said in the past that it doesn't pose a problem) then the draft could
 specify a canonical address-less domain lower down the hierarchy, e.g.
 empty.as112.arpa (making use of the AS112 DNAME proposal).
 
 Tony.
 -

Many years ago Joe Abley and I suggested to create a special name for exactly 
this purpose
a name that was guaranteed to never exist in the DNS thus the first lookup 
would always return NXDOMAIN thus the A+ lookups would never take place. 
http://tools.ietf.org/html/draft-jabley-sink-arpa-03

Olafur

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[John Levine]

Many years ago Joe Abley and I suggested to create a special name for exactly 
this purpose
a name that was guaranteed to never exist in the DNS thus the first lookup 
would always return NXDOMAIN thus the A+ lookups would never take place. 
http://tools.ietf.org/html/draft-jabley-sink-arpa-03

While I don't think it's relevant for this application, isn't that
what RFC 6761 defines invalid to be?

R's,
John

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [apps-discuss] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Ned Freed]

 Nico Williams n...@cryptonector.com wrote:
 
  I think what you're objecting to is the section 4.3 and related text
  that conflates does not accept e-mail with does not send e-mail.

 Section 4.3 describes what is already done by existing implementations of
 this spec.

 Exim in its default configuration validates the domain part of email
 addresses and will reject mail if the sending domain does not exist or if
 its MX records point to nonexistent hosts. Exim also recognizes null MX
 records and suppresses the target A and  lookups and treats the domain
 as invalid. However the null MX logic is just an optimization: Exim's
 validation logic would get the same result if it tried to do the A and
  lookups and found that . does not have any addresses.

 Postfix does the same if you use the reject_unknown_sender_domain option.

FWIW, the equivalent option in the Oracle MTA is called mailfromdnsverify.

 There are good reasons for rejecting mail from invalid domains, e.g.
 because you would not be able to send a delivery failure report.

Yep. I believe setting this option is fairly common.

Ned

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Olafur Gudmundsson]

On Jul 18, 2014, at 10:52 AM, John Levine jo...@taugh.com wrote:

 Many years ago Joe Abley and I suggested to create a special name for 
 exactly this purpose
 a name that was guaranteed to never exist in the DNS thus the first lookup 
 would always return NXDOMAIN thus the A+ lookups would never take place. 
 http://tools.ietf.org/html/draft-jabley-sink-arpa-03
 
 While I don't think it's relevant for this application, isn't that
 what RFC 6761 defines invalid to be?
 
 R's,
 John


John,

I think it would be great to have this document use “no-mail.invalid.” as the 
domain name rather
than “.” in the MX record i.e. 
foo.bar.example MX  0 no-mail.invalid. 

But this is just a question of preference and installed base. 

Olafur

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Tony Finch]

Olafur Gudmundsson o...@ogud.com wrote:

 I think it would be great to have this document use “no-mail.invalid.”
 as the domain name rather than “.” in the MX record

I don't think this would help. It would be different from what existing
code recognizes and it would not divert the unwanted A+ queries away
from the root name servers.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Trafalgar: West or southwest 4 or 5. Slight or moderate. Thundery showers in
north. Good, occasionally poor in north.___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Mark Delany]

 I think it would be great to have this document use ?no-mail.invalid.? as the 
 domain name rather
 than ?.? in the MX record i.e. 
   foo.bar.example MX  0 no-mail.invalid. 
 
 But this is just a question of preference and installed base. 

The aspirations of this document were far more modest than people seem
to think.

The original intent was to merely document a relatively standard
operating procedure that mail admins routinely deploying. Up to that
point it was trade-craft that sometimes surprised and confused new
mail admins. We wanted to reduce that surprise and confusion. Nothing
more.

There was no original intent to try and change the practice nor to
pass judgment on it. It was deemed that that would be covered by some
future activity if warranted. Maybe NULLMX considered harmful if
enough IETF wonks were keen on an admonition or driving an
alternative.

It's been nearly ten years since the original draft was posted, and it
has travelled just about the full length of the IETF digestive
tract. I can readily understand why the original goal may no longer be
apparent.

Importantly, in the intervening decade there has been zero evidence of
sufficient energy to pursue alternatives, yet alone pursue them to
completion. And of course the practice has become far more entrenched
since then.

I encourage folk to consider the doc in that context if they can.


Mark.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[John C Klensin]

(copying John Levine given his recent summary on the IETF list
as well as his co-author role)

--On Friday, July 18, 2014 10:36 -0400 Olafur Gudmundsson
o...@ogud.com wrote:

 If this is a worry for the root server operators (but I
 thought they had said in the past that it doesn't pose a
 problem) then the draft could specify a canonical
 address-less domain lower down the hierarchy, e.g.
 empty.as112.arpa (making use of the AS112 DNAME proposal).
...

 Many years ago Joe Abley and I suggested to create a special
 name for exactly this purpose a name that was guaranteed to
 never exist in the DNS thus the first lookup  would always
 return NXDOMAIN thus the A+ lookups would never take
 place.  http://tools.ietf.org/html/draft-jabley-sink-arpa-03

One more general observation and then I'm going to stop and
leave this part of the issue to you folks.   I believe there is
fairly general (if still a bit rough) consensus in the email
community that having some clear, DNS-based, way for a system to
indicate that it does not accept email.Long ago, there was
some hope that WKS records would solve that problem (and others
like it), but we know how that worked out.

Today's problem, IMO, is that, while there is little debate
about DNS-based solution, or even DNS-based solution
involving something special in the relevant MX record, I
haven't seen a careful analysis by DBS experts on which of
several DNS approaches have the least bad operational
properties.  If a particular SMTP implementation is aware of and
follows the spec, almost any consensus indicator that doesn't
conflict with other things should be fine -- ., ***, a
special name in example.com or example.net, the proposal above,
or something else, because there will be a string compare within
the SMTP server and no lookups will be done.  Since SMTP
prohibits non-ASCII domain names, one might even consider
something Like фиктивный.example.com or
虚假.example.com (literally, not as IDNA A-labels) which
would cause many SMTP servers to do something nasty that does
not involve the DNS.   

DATA containing . has the advantage of already being deployed,
so anything else has to offer enough marginal value to overcome
the assumptions that go with existing practice.  But, modulo
that issue, I don't think the SMTP community really cares what
the string is as long as there is a string and a mechanism
(Tony and others have said as much).

The only issue that is, IMO, really important is with
side-effects or damage caused by SMTP implementations that do
not know about the convention or conform to the spec.  They will
certainly do lookups; how far they will get and whether they
will requeue and try again depends somewhat on the string chosen
and, modulo the observation about non-ASCII bogus strings, that
is your area of expertise and not mine (or that of the AppsAWG).

Given that the IETF used to pride itself on the application and
quality of cross-area review, I think it is desirable and
appropriate that the DNS community generally, and DNSOP in
particular, weigh in on the string.  I'd be happiest, and I'm
confident that John L would be too, if the answer was any of 

 * Just fine, . is no problem
 * Ok, . isn't likely to cause enough of an incremental
problem to be worth worrying about.
 * We really wish you had asked ten years ago, but don't
see . as causing enough of an incremental problem to
be worth the difficulties associated with getting
existing implementations to change their ways.

But, again in the spirit of cross-area review, I'd really like
it --and, as someone who periodically plays email expert on
television, be a lot more comfortable-- if DNSOP had enough of a
discussion to advise on this.  I would hope that, if the advice
were use a different string, preferable whatever, because...
the IESG and the advocates of no mail received here indicator
MXs would pay careful attention.

And I'd like to see the spec reflect the analysis, if only in an
appendix, which may require someone on the DNSOP list to help
John L with text.  But that is, as always, secondary to getting
the spec, protocol, and operational issues right.

john

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[John R Levine]

Today's problem, IMO, is that, while there is little debate
about DNS-based solution, or even DNS-based solution
involving something special in the relevant MX record, I
haven't seen a careful analysis by DNS experts on which of
several DNS approaches have the least bad operational
properties.


But, John, this is the one that's implemented in many popular MTAs, has 
been in daily use for the better part of a decade, and has no observed 
issues at all that I ever heard of.  No doubt it sends some traffic to the 
root servers, but have any root server surveys ever even mentioned A or 
 query traffic to . ?


I can sorta kinda see not wanting to bless it in an RFC, but if we tell 
people to do something different, we'll just look ever more out of touch 
and they'll ignore us.  Again.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Tony Finch]

John C Klensin john-i...@jck.com wrote:

 If a particular SMTP implementation is aware of and follows the spec,
 almost any consensus indicator that doesn't conflict with other things
 should be fine --

There are actually more constraints than you imply in your message.

 .

Has the advantage of being implemented and deployed. Has the disadvantage
of directing useless queries to the root name servers from MTAs that do
not understand null MX records.

 ***

MX target names should obey the LDH host name rules. You won't be able to
enter this target into many DNS admin tools since they enforce LDH syntax.
Some nameservers (e.g. BIND) will by default refuse to load a zone with
a non-hostname MX target.

This loses the advantages of a . target and fails to keep useless
queries away from the root name servers.

 a special name in example.com or example.net,

These domains are reserved for use in examples, not for production
purposes. Are their name servers scaled up enough to handle stray
queries from MTAs that don't understand null MX records?

This question applies to any non-. target. The reason I suggested using
AS112 was because it is designed for sinking unwanted queries that should
not have leaked out in the first place. But I still prefer to stick with
..

 Since SMTP prohibits non-ASCII domain names, one might even consider
 something Like фиктивный.example.com or 虚假.example.com (literally,
 not as IDNA A-labels) which would cause many SMTP servers to do
 something nasty that does not involve the DNS.

You are muddling up the IDNA layers here. The MX target comes from the DNS
so if you try to put an IDNA name there it has to be encoded as an A-label
before you put it in the DNS. If you try hard you can put un-encoded UTF-8
in the DNS, but then it would violate the hostname rules in a similar way
to ***.

It is likely that there are MTAs which do not check that MX targets
actually obey hostname syntax, so this kind of hack is not going to
reliably suppress lookups.

 They will certainly do lookups; how far they will get and whether they
 will requeue and try again depends somewhat on the string chosen

I think it depends more on the MTA's and/or postmaster's attitude to DNS
misconfiguration. Some are quicker to permfail than others.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Irish Sea: South or southeast 4 or 5, becoming variable 3 or 4. Moderate
becoming slight. Rain or thundery showers, fog patches. Moderate or good,
occasionally very poor.___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[John C Klensin]

--On Friday, July 18, 2014 14:59 -0400 John R Levine
jo...@taugh.com wrote:

 Today's problem, IMO, is that, while there is little debate
 about DNS-based solution, or even DNS-based solution
 involving something special in the relevant MX record, I
 haven't seen a careful analysis by DNS experts on which of
 several DNS approaches have the least bad operational
 properties.
 
 But, John, this is the one that's implemented in many popular
 MTAs, has been in daily use for the better part of a decade,
 and has no observed issues at all that I ever heard of.  No
 doubt it sends some traffic to the root servers, but have any
 root server surveys ever even mentioned A or  query
 traffic to . ?

If you head read all of my note, you would have noticed that I
expressed a strong preference for staying with MX . unless
there were compelling reasons for doing something else.
Compelling is a pretty high bar, but I think we need to ask
and then listen.  Also see below.

As to no observed issues and indications of support in the
many popular MTAs you have cited elsewhere, I think counting
SMTP implementations is essentially bogus for reasons discussed
(and claims made) in another thread on the IETF list.  For those
with the patience for the analysis, see [1] below.

More relevant, I think, is that the deployment scale for this
convention has nothing to do with how many SMTP servers
implement it -- whether they do by string matching (also see
below) or by giving a just stop here interpretation to certain
types of DNS responses to lookup of MS DATA field contents.  If
no one created an MX . entry, then the number or types of
servers who were prepared to deal with one in a special way
would be completely irrelevant and the number of queries to the
root would be zero.  Now we both know that there are a bunch of
MX . records out there.  I assume the number is not very large
compared to the total number of nodes in the DNS that own
address records or even that number less the number of nodes who
have MX records that point to SMTP servers.  But the load on the
root as the result of this convention (whether approved by the
IETF or not) is, unless my brain is completely not working
today, dependent on how often such records are encountered less
the number of systems that trap the . convention locally.  If
the reason for asking for IETF approval is to encourage more
nodes to be associated with these records (otherwise, you
presumably wouldn't be looking for standards track) then more
MX . entries are likely to result in more DNS queries -- how
many more is, I believe, anyone's guess although I discuss some
parameters below.

Part of the issue here is an SMTP subtlety (or perhaps an RFC
5321 glitch).  Your spec says (Section 3) The DNS root is not a
valid host name, so a NULL MX record can not be confused with an
ordinary MX record.  That is clearly true.  But, while an SMTP
implementation could invoke the operational necessity
provision of 5321 and make a string comparison check rather than
sending a query to the root, SMTP does not require that the DATA
associated with an MX record pass SMTP tests of valid host
name (in SMTP a rather restrictive bit of local syntax); it
basically requires that whatever is out there be looked up, with
validity (getting back an address record) depending on what the
DNS has to say (see 5321 Section 5.1)

So, again with the stipulation that I may still not fully
understand the issues here, I'd look, not at numbers of SMTP
server implementations, or even the amount of traffic they might
carry, but the number of MX RRs with . in the DATA.  I'd
assume that number would grow significantly and asymptotically
after this specification is approved and more operators install
the records and then with the growth in the Internet (or the
DNS).  The actual number of queries would depend on the subset
of those nodes that were hit, either intentionally or by
mistake.  I don't think we have any way to estimate that.   In
any event, if one believes in Internet growth and that don't
send me mail MX records are a good idea, there will be a lot
more of them in the future, maybe enough to justify a change now
if one is otherwise appropriate (or maybe not).

My apologies for not thinking of it sooner but, if I were
worried about DNS root server impacts (email messaging with
mistakes about domains may be such a small percentage of traffic
to not count) or even unnecessary DNS traffic minimization more
generally, I'd recommend that this new specification explicitly
update Section 5.1 of RFC 5321 to require that DNS servers make
a string-comparison test against . (or whatever the string
turns out to be) and stop if it is found rather than doing DNS
lookups on whatever is in the data field.  As an alternative,
5321 could be updated to require checking the contents of MX
DATA against the SMTP mailbox domain rules.  Neither would
affect anything that exists today that is reasonable, but they
would move that check from 

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[John C Klensin]

--On Friday, July 18, 2014 20:39 +0100 Tony Finch d...@dotat.at
wrote:

 John C Klensin john-i...@jck.com wrote:
 
 If a particular SMTP implementation is aware of and follows
 the spec, almost any consensus indicator that doesn't
 conflict with other things should be fine --
 
 There are actually more constraints than you imply in your
 message.

Yes, almost certainly.

 .
 
 Has the advantage of being implemented and deployed. Has the
 disadvantage of directing useless queries to the root name
 servers from MTAs that do not understand null MX records.
 
 ***
 
 MX target names should obey the LDH host name rules.

I completely agree, but SMTP imposes no such requirement.

 You won't
 be able to enter this target into many DNS admin tools since
 they enforce LDH syntax. Some nameservers (e.g. BIND) will by
 default refuse to load a zone with a non-hostname MX target.

Does that imply that this spec should contain a warning that
loading one of these null MX records may require a
configuration change in one's nameserver?   Just asking.

 This loses the advantages of a . target and fails to keep
 useless queries away from the root name servers.
 
 a special name in example.com or example.net,
 
 These domains are reserved for use in examples, not for
 production purposes. Are their name servers scaled up enough
 to handle stray queries from MTAs that don't understand null
 MX records?

Yep.  Sorry for not selecting a better example, but I hope the
point was clear.

 This question applies to any non-. target. The reason I
 suggested using AS112 was because it is designed for sinking
 unwanted queries that should not have leaked out in the first
 place. But I still prefer to stick with ..

Ok, thanks for clarifying.
 
 Since SMTP prohibits non-ASCII domain names, one might even
 consider something Like фиктивный.example.com or
 虚假.example.com (literally, not as IDNA A-labels) which
 would cause many SMTP servers to do something nasty that does
 not involve the DNS.

 You are muddling up the IDNA layers here. The MX target comes
 from the DNS so if you try to put an IDNA name there it has to
 be encoded as an A-label before you put it in the DNS. If you
 try hard you can put un-encoded UTF-8 in the DNS, but then it
 would violate the hostname rules in a similar way to ***.

I'm actually not... and sorry if I wasn't clear.   Because SMTP
doesn't impose any restrictions on what it can pick up from MX
DATA (presumably the only limits are those imposed by 2181) and
knows nothing about IDNA, un-encoded UTF-8 (or, for that matter,
un-encoded UTF16 or something else as long as it is within the
64 byte label limit, is just meaningless trash -- far further up
the trash scale than **.   If an implementation chooses
to apply host name checks (or SMTP mailbox domain name validity
checks) that seems wise to me, but goes beyond what SMTP
requires.

 It is likely that there are MTAs which do not check that MX
 targets actually obey hostname syntax, so this kind of hack is
 not going to reliably suppress lookups.

Exactly.  They are different examples of guaranteed bogus
strings; they don't help a bit with the query problem.   If we
really want help with the query problem, we need to update SMTP
(see previous over-long note to DNSOP, which I'll forward to you
under separate cover.

 They will certainly do lookups; how far they will get and
 whether they will requeue and try again depends somewhat on
 the string chosen
 
 I think it depends more on the MTA's and/or postmaster's
 attitude to DNS misconfiguration. Some are quicker to permfail
 than others.

Yep,  And that is independent of whether we agree about what
constitutes DNS misconfiguration.  Had you said
misconfiguration, abuse, or stupidity, we'd probably agree.
:-)

john



___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Tony Finch]

John C Klensin john-i...@jck.com wrote:

  MX target names should obey the LDH host name rules.

 I completely agree, but SMTP imposes no such requirement.

RFC 974 specifies that the target of an MX record is a host name.

  You won't be able to enter [***] into many DNS admin tools since
  they enforce LDH syntax. Some nameservers (e.g. BIND) will by default
  refuse to load a zone with a non-hostname MX target.

 Does that imply that this spec should contain a warning that
 loading one of these null MX records may require a
 configuration change in one's nameserver?

No, because . doesn't violate LDH syntax. (What admin GUIs do is another
matter...)

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Humber, Thames: Mainly southeast 4 or 5, increasing 6 at times. Slight or
moderate. Thundery showers. Good, occasionally poor.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Tony Finch]

John C Klensin john-i...@jck.com wrote:

 To the contrary, I think the problem here (if there is one) is
 that these types of ideas are being invented, specified through
 formal or informal private discussions, deployed, and then
 brought to the IETF for standardization.

The null MX record is simply re-using the existing logic for null SRV
records, so the design already has IETF approval.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
East Sole, Lundy, Fastnet: Southerly becoming variable 3 or 4. Slight or
moderate. Thundery showers. Good, occasionally poor.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[John C Klensin]

(Warning to DNSOP and IESG -- this response is going to descend
quickly into SMTP esoterica and is probably safe to ignore from
a DNS perspective)

--On Friday, July 18, 2014 22:39 +0100 Tony Finch d...@dotat.at
wrote:

 John C Klensin john-i...@jck.com wrote:
 
  MX target names should obey the LDH host name rules.
 
 I completely agree, but SMTP imposes no such requirement.
 
 RFC 974 specifies that the target of an MX record is a host
 name.

And so?  RFC 2821 obsoleted 974.  As far as I can tell, it says
nothing at all about the DATA field in an MX record, leaving
pulling that information out and looking it up in the DNS to be
inferred from context and a parenthetical comment (perhaps
taken from the preferred MX record).  It does use the term
host addresses and destination host, but in a too-informal
context to assume that people would infer host name (aside:
whatever that means) in the DNS sense.  After 14+ years, I no
longer remember and cannot reconstruct whether that was a DRUMS
screwup or mine although the WG is ultimately responsible for
not reviewing carefully enough.

When RFC 5321 was done, we obviously knew there was a problem
with the 2821 text because its text improves on the situation.
The pre-5321 change log doesn't say much that sheds light on the
change, other than saying that the description of MX handing
was changed in -10 (one of several post-Last-Call versions).
The relevant section is more clear and it does explicitly say
the data field of that response MUST contain a domain name.
That domain name, when queried, MUST return at least one address
record (e.g., A or  RR).  But that is it: domain name.
One can read that as an invocation of the discussion in Section
2.3.5 but that isn't the only possible reading.  The section
invokes 1035 and a sequence of letters, digits, and hyphens
drawn from the ASCII character set.   The following sentence
reads Domain names are used as names of hosts and of other
entities in the domain name hierarchy. so, while 2.3.5 (if one
believes that the text in 5.1 invokes it) requires LDH, it does
not require a host name.If one doesn't believe that 2.3,5
is invoked, then a domain name is presumably just an FQDN
conforming to 1034/1035 as interpreted by 2181).  There is,
fwiw, some additional test in 2.3.5 that further muddies the
waters. 

That is definitely not a good example of clarity or precision.
Mea culpa, with or without comments about quality of review.  I
have tightened things up in the 5321bis editing copy (yes, there
is such a thing).

...
 Does that imply that this spec should contain a warning that
 loading one of these null MX records may require a
 configuration change in one's nameserver?
 
 No, because . doesn't violate LDH syntax. (What admin GUIs
 do is another matter...)

Those admin GUIs or text input converters were what I was
concerned about (should have said nameserver configuration
interface or words to that effect).  Your call (and John L.'s).

john


___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Mark Andrews]

In message alpine.lsu.2.00.1407182019070.28...@hermes-1.csi.cam.ac.uk, Tony F
inch writes:
 
 John C Klensin john-i...@jck.com wrote:
 
  If a particular SMTP implementation is aware of and follows the spec,
  almost any consensus indicator that doesn't conflict with other things
  should be fine --
 
 There are actually more constraints than you imply in your message.
 
  .
 
 Has the advantage of being implemented and deployed. Has the disadvantage
 of directing useless queries to the root name servers from MTAs that do
 not understand null MX records.
 
  ***
 
 MX target names should obey the LDH host name rules. You won't be able to
 enter this target into many DNS admin tools since they enforce LDH syntax.
 Some nameservers (e.g. BIND) will by default refuse to load a zone with
 a non-hostname MX target.
 
 This loses the advantages of a . target and fails to keep useless
 queries away from the root name servers.

. is a place holder exception.  Below is a minimal zone with a MX with all
the domains set to ..  Named will load MX 0 . fine.  . prevents lots
of the internal checks at load time from triggering.

% named-checkzone zone zone
zone:1: no TTL specified; using SOA MINTTL instead
zone zone/IN: loaded serial 0
OK
% cat zone
@ SOA . . 0 0 0 0 0
@ NS .
@ MX 0 .
% 

MX 0 . is also consistent with SRV 0 0 0 . which is documented.

no-mail.invalid however will elicit a warning / failure depending
upon what the error level is set to.  Named-checkzone looks up every
MX target and check for A or  records with the exception of
..  It also checks that they are syntactically valid hostnames.
It also tries to determine if a IPv4 address has been used instead
of a hostname by mistake.

% named-checkzone zone zone
zone:1: no TTL specified; using SOA MINTTL instead
zone zone/IN: zone/MX 'no-mail.invalid' (out of zone) has no addresses records 
(A or )
zone zone/IN: loaded serial 0
OK
% cat zone
@ SOA . . 0 0 0 0 0
@ NS .
@ MX 0 no-mail.invalid.
% 

. is a really good exception marker.  It is also the minimal
exception marker we can have.

  a special name in example.com or example.net,
 
 These domains are reserved for use in examples, not for production
 purposes. Are their name servers scaled up enough to handle stray
 queries from MTAs that don't understand null MX records?
 
 This question applies to any non-. target. The reason I suggested using
 AS112 was because it is designed for sinking unwanted queries that should
 not have leaked out in the first place. But I still prefer to stick with
 ..
 
  Since SMTP prohibits non-ASCII domain names, one might even consider
  something Like =D1=84=D0=B8=D0=BA=D1=82=D0=B8=D0=B2=D0=BD=D1=8B=D0=B9.ex=
 ample.com or =E8=99=9A=E5=81=87.example.com (literally,
  not as IDNA A-labels) which would cause many SMTP servers to do
  something nasty that does not involve the DNS.
 
 You are muddling up the IDNA layers here. The MX target comes from the DNS
 so if you try to put an IDNA name there it has to be encoded as an A-label
 before you put it in the DNS. If you try hard you can put un-encoded UTF-8
 in the DNS, but then it would violate the hostname rules in a similar way
 to ***.
 
 It is likely that there are MTAs which do not check that MX targets
 actually obey hostname syntax, so this kind of hack is not going to
 reliably suppress lookups.
 
  They will certainly do lookups; how far they will get and whether they
  will requeue and try again depends somewhat on the string chosen
 
 I think it depends more on the MTA's and/or postmaster's attitude to DNS
 misconfiguration. Some are quicker to permfail than others.
 
 Tony.
 --=20
 f.anthony.n.finch  d...@dotat.at  http://dotat.at/
 Irish Sea: South or southeast 4 or 5, becoming variable 3 or 4. Moderate
 becoming slight. Rain or thundery showers, fog patches. Moderate or good,
 occasionally very poor.
 --1870869256-999632820-1405712346=:28941
 Content-Type: text/plain; charset=us-ascii
 MIME-Version: 1.0
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
 
 --1870869256-999632820-1405712346=:28941--
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: draft-ietf-appsawg-nullmx-05.txt (A NULL MX Resource Record for Domains that Accept No Mail) to Proposed Standard

[Mark Andrews]

The target us a hostname (RFC 1035).

3.3.9. MX RDATA format

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|  PREFERENCE   |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
/   EXCHANGE/
/   /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

where:

PREFERENCE  A 16 bit integer which specifies the preference given to
this RR among others at the same owner.  Lower values
are preferred.

EXCHANGEA domain-name which specifies a host willing to act as
a mail exchange for the owner name.


In message d6cbb305b5bc2818e7b34...@jck-hp8200.jck.com, John C Klensin writes
:
 (Warning to DNSOP and IESG -- this response is going to descend
 quickly into SMTP esoterica and is probably safe to ignore from
 a DNS perspective)
 
 --On Friday, July 18, 2014 22:39 +0100 Tony Finch d...@dotat.at
 wrote:
 
  John C Klensin john-i...@jck.com wrote:
  
   MX target names should obey the LDH host name rules.
  
  I completely agree, but SMTP imposes no such requirement.
  
  RFC 974 specifies that the target of an MX record is a host
  name.
 
 And so?  RFC 2821 obsoleted 974.  As far as I can tell, it says
 nothing at all about the DATA field in an MX record, leaving
 pulling that information out and looking it up in the DNS to be
 inferred from context and a parenthetical comment (perhaps
 taken from the preferred MX record).  It does use the term
 host addresses and destination host, but in a too-informal
 context to assume that people would infer host name (aside:
 whatever that means) in the DNS sense.  After 14+ years, I no
 longer remember and cannot reconstruct whether that was a DRUMS
 screwup or mine although the WG is ultimately responsible for
 not reviewing carefully enough.
 
 When RFC 5321 was done, we obviously knew there was a problem
 with the 2821 text because its text improves on the situation.
 The pre-5321 change log doesn't say much that sheds light on the
 change, other than saying that the description of MX handing
 was changed in -10 (one of several post-Last-Call versions).
 The relevant section is more clear and it does explicitly say
 the data field of that response MUST contain a domain name.
 That domain name, when queried, MUST return at least one address
 record (e.g., A or  RR).  But that is it: domain name.
 One can read that as an invocation of the discussion in Section
 2.3.5 but that isn't the only possible reading.  The section
 invokes 1035 and a sequence of letters, digits, and hyphens
 drawn from the ASCII character set.   The following sentence
 reads Domain names are used as names of hosts and of other
 entities in the domain name hierarchy. so, while 2.3.5 (if one
 believes that the text in 5.1 invokes it) requires LDH, it does
 not require a host name.If one doesn't believe that 2.3,5
 is invoked, then a domain name is presumably just an FQDN
 conforming to 1034/1035 as interpreted by 2181).  There is,
 fwiw, some additional test in 2.3.5 that further muddies the
 waters. 
 
 That is definitely not a good example of clarity or precision.
 Mea culpa, with or without comments about quality of review.  I
 have tightened things up in the 5321bis editing copy (yes, there
 is such a thing).
 
 ...
  Does that imply that this spec should contain a warning that
  loading one of these null MX records may require a
  configuration change in one's nameserver?
  
  No, because . doesn't violate LDH syntax. (What admin GUIs
  do is another matter...)
 
 Those admin GUIs or text input converters were what I was
 concerned about (should have said nameserver configuration
 interface or words to that effect).  Your call (and John L.'s).
 
 john
 
 
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop