John, you say that using the Zone Cut is a Bad Idea (won't work
reliably). Does that mean that SPF (spf-draft-200406, which requires
use of a Zone Cut for an optional feature) is defective?
Well, there's a lot not to like in that draft. In the specific case
of the faux wildcards, what it says if you use a parent, it must be
the zone cut. You can do that, but the only reliable way to do so is
to walk up the tree looking for an SOA record, then fetch the TXT
record at the same node as the SOA record. This is probably more DNS
queries than they had in mind, but SPF has so many situations that
require absurdly large numbers of queries that one more hardly
matters. Given that you have to walk up the tree anyway, it would
make a lot more sense to forget the zone cuts, walk up the tree
looking for TXT records, and when you find one, use it.
*Unless one is concerned with coming across wacked out DNS entries for
legit senders whose HELO domains have more IPs than fit in a UDP packet.
The last time I checked, outgoing mail servers at Hotmail all HELO as
hotmail.com. But I agree that's not likely to be a problem for CSV
since any host with a whole lot of outgoing mail servers is unlikely
to want to make them the same IPs as their web servers.
--
John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 330 5711
johnl(_at_)iecc(_dot_)com, Mayor, http://johnlevine.com,
Member, Provisional board, Coalition Against Unsolicited Commercial E-mail