Re: [sitefinder-tech-discuss] Pseudo code please

[Kee Hinckley <nazgul@somewhere.com>]

At 6:35 PM -0400 10/16/03, Andrew Newton wrote:
> It answers #2.  I don't know why you are doing #1.
>
> It could answer #3 if done before the MX and A checks.  Also note, 
> that if VeriSign deployed a wildcard MX according to the details in 
> yesterdays SECSAC meeting, then #3 would be solved by the 2821 
> behaviour.

You speak of the 2821 behavior as though it were a piece of code. 
It's a specification.  What matters is implementation.  Let's not 
make that mistake again.

I just went through the sendmail code and it appears (let's just say 
that sendmail's code isn't the most obvious thing in the world) that 
it correctly follows the recommendation in 2821 when sending.  It's 
not clear to me if it follows it when examining incoming domains. 
Have you checked with the major open source and proprietary vendors 
to see whether they do in fact not use the A record when the MX 
record returns RCODE 3?  Have you also checked with the major bulk 
senders, who often are using custom or specialized software, to make 
sure they properly implemented the RFC.  (Not as big an issue, I 
know--that's just for sending to user-entered domains, but still-it's 
someone else you are going to be impacting.)

> > I think you're saying that prior to doing any A or MX query, I 
> > should first take the host name and reduce it to just the domain 
> > name.  Then I should do an NS query on the domain.  If the results 
> > are empty, then I know it's a wildcard.  If there is a result, then 
> > I can trust the results of any subsequent queries on the 
> > host/domain name to be accurate.
> >
> > Is that correct?

Is that correct?

> > > > 1. Given a host name in .com/.net, determine whether the host 
> > > > really exists.

If you don't understand why I would want to do this, we have a real problem.

I need to tell the user the correct error.  If the user gives me a 
host name, I want to correctly say to them:
	- you mistyped the domain
	- you mistyped the host
	- the host is not responding
	- the host does not support that service
I don't think it's critical that the first two items be called out 
separately, although it's nice.  It absolutely is critical that the 
user be told the difference between "you have a typo" and "I can't 
connect to the service".  The first case is something the user can 
correct, the second they take as being our fault, or the fault of 
some third party.

Or to put it in a context which Verisign ought to understand. 
Suppose you entered your payment information on a web site and the 
system always came back with "Unable to process your transaction, try 
again later" instead of saying "Your credit card number is invalid." 
What a great way to lose a potential customer.

(Come to think of it, this is a very bad example.  Verisign's 
PayFlowPro system does in fact *not* call out which errors are due to 
user input and which are server based.  I had to go through the list 
of error codes and write an error handling routine which correctly 
separated them out so I could tell the user the right thing.  They 
were completely random.)

> > > > 2. Given a domain name in .com/.net, determine whether the domain 
> > > > really exists, or whether it has been configured to *look* like a 
> > > > Verisign wildcard domain.
> > > > 3. Given a host/domain, determine whether one should be able to 
> > > > send mail to it.

A. No, it's hard to read.
Q. Should I put my reply before your answer?
--
Kee Hinckley
http://www.messagefire.com/         Next Generation Spam Defense
http://commons.somewhere.com/buzz/  Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.elistx.com/unsubscribe>