SRV record

SRV records in DNS are cool a relatively new kind of DNS record, which conveys a lot more information than traditions DNS records. SRV records are currently not used that frequently for internet services, but I hope that will change, and maybe this page will help explain why it would be good.

SRV example
Here is an example of a real SRV record used at Fudo, with explanation of each field.

_xmpp-client._tcp.fudo.org. 10800 IN	 SRV 0        60     5222 athens.fudo.org. name (label)               TTL   Class Type Priority Weight Port

think of this record: irc.fudo.org. IN A 24.79.5.2 A 24.58.5.66

That's how our IRC round-robin works now. Compare to: _irc._tcp.fudo.org. IN SRV 0 50 6667 upbringer.fudo.org IN SRV 0 50 6667 nero.fudo.org

The SRV record doesn't require you to have IP addresses right in the record. where as an A record, obviously, does require that. Also the weights... and ports: but i just realized that you don't need to have the IP address for nero in two places, for example.

someone pointed out mailserver config becomes EASY with srv. your email address: reaper@fudo.org. okay, simple query to find your smtp and imap servers via DNS SRV, and you're done reaper@silverstar:~$ dig +short srv _imap._tcp.fudo.org 0 0 143 athens.fudo.org.

But it isn't used, right? I mean, clients are too dumb.... instead of guessing 'mail.fudo.org', you can just query SRV. mozilla is too dumb. So, if clients were smarter, that should be auto-filled. cause you know the service you want, you know the domain... why should you need more than DNS to answer the question of what server and port you should connect to?

i knew what SRV records were, but i never thought of their full potential. and further, the server could change at any time, you update DNS... well i guess that's the same as now, with mail.fudo.org. but instead of using 'well know domain names', we now have a defined method of storing that info in DNS

That applies to everything. Log in to Jabber? Username: niten@fudo.org. Password: *********. Done.

makes it easy to add new services. the user doesn't even have to know what service this new program is using

it might have the side-effect of showing how brain-dead port-number firewalls are. oh yes, i see, port 9932? SECURITY HOLE!@!. what kind of logic is that? i hate firewalls, too. that's one of the reasons suggested for making web apps! cause port 80 is always open!

all you have succeeded in doing, by firewalling not port 80 is reduced the functionality of the network, by eliminating one of its data identification methods. but you have bought NOTHING in terms of security, cause you still allow ANY data across it. what's dangerous is the data, not the port number.

but, if you live in a world of weak, pathetic, and insecure end-points then you might say that if my webserver gets a virus, it might set up a service on port 9932, and then having traffic on that port would be a sign that something is wrong. i can follow that logic. but locking down the network does not make your host any more secure

Only allowing port 80 through...but then being forced to allow *all* traffic through port 80. Back to square one. or Worse

I will go further and say the reason the network is being modified, not the host, is that the network is open, and the host is not--it's proprietary windows, which you CANNOT modify to make more secure

Back before square one—you've lost the info you *did* have. "My operating system has security holes which it is exposing to the world at large! I must do something!  .....I know, I'll build a wall around it!". Instead of DON'T HAVE SECURITY HOLES, or DON'T EXPOSE THEM

reaper@silverstar:~$ dig +short srv _pop3._tcp.fudo.org 0 0 110 athens.fudo.org. reaper@silverstar:~$ dig +short srv _domain._udp.fudo.org 0 80 53 athens.fudo.org. 0 20 53 darkstar.fudo.org.

RFCs

 * RFC 2782 - A DNS RR for specifying the location of services (DNS SRV)
 * RFC Draft: DNS SRV Records for HTTP