ietf-mxcomp
[Top] [All Lists]

Re: DEPLOY: Over-running TXT dataspace in FQDN (-protocol I believe)

2004-08-26 15:59:02


On Thu, 26 Aug 2004, Mark Lentczner wrote:

2) Wildcards
All the major points about wildcards have been made: Essentially, they 
don't work the way you'd like them to whether or not there is a prefix 
-- it is the nature of DNS wildcards.

On the other hand, if a domain uses wildcard MX records, then wildcard 
TXT and/or SPF2 records can be used to achieve a matching effect.  See 
the protocol-03 draft for an example and discussion of just this point. 

  I will only add here that publishing under a prefix or not makes no 
difference - the use of wildcards has the same caveats and 
difficulties.

I disagree that publishing under prefix makes no difference as to 
workability of wildcards. As noted wildcards can be used to 
extend spf policy to all subdomains under example.com which are not
specifically defined as separate records in dns, i.e.:
 a.example.com. IN TXT "v=spf1 ip4:192.168.0.0/16 ~all"
 *.example.com. IN TXT "v=spf1 ip4:10.0.0.0/8 ~all"
will apply to 
 b.example.com and c.example.com and d.example.com, etc
 but not to a.example.com which has its own record

In case we decide to have main record be located within subdomain prefix 
depending on the identity, then in order to achieve same effect with 
wildcards, we'd still have to place the record in root of the domain, i.e.
 a._marid_pra.example.com. IN TXT "v=spf1 ip4:192.168.0.0/16 ~all"
 *.example.com. IN TXT "v=spf1 ip4:10.0.0.0/8 ~all"

In this case wildcard record will apply to b._marid_pra.example.com and
c._marid_pra.example.com, etc but not to a._marid_pra.example.com. But
at the same time here the record from the wildcard (i.e. 10.0.0.0/8) will 
also apply to a._spf_mfrom.example.com. eventhough this might be different
identity and while for specific record we can do:
 a._marid_pra.example.com. IN TXT "v=spf1 ip4:192.168.0.0/16 ~all"
 b._spf_mfrom.example.com. IN TXT "v=spf1 ip4:192.168.10.0/24 ~all"
The same can not be done for wildcard records as there identity you only
have one place to put such record and it would have to be same for any kind
of identity (even ones not yet defined...). 

In my view this makes wildcards are bad choice for achieving scoping and 
identity separation. That is unless we decide that we don't need to support
wildcards at all and in that case to avoid problems (as some will still
do it seeing how its possiblems), the document would have to specifically
say that you CAN NOT use wildcards or CAN NOT place records in anything
but the specified scope/identity prefix.

-- 
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net


<Prev in Thread] Current Thread [Next in Thread>