ietf-mxcomp
[Top] [All Lists]

Re: Reuse of TXT : draft-ymbk-dns-choices-00.txt

2004-05-18 13:47:25

On 5/18/2004 10:30 AM, Pete Resnick sent forth electrons to convey:


On 5/18/04 at 9:55 AM -0700, Matthew Elvey wrote:

On 5/18/2004 9:06 AM, Pete Resnick sent forth electrons to convey:

In terms of using TXT records or not, I think Philip actually misses the most important issue to me: wildcards. The discussion we were having yesterday about how to deal with per-user records (and the general problem of multiple sub-domain names mapping to a single record) by using wildcards is almost a show-stopper in my mind. And nobody who has proposed using TXT records with a "special" sub-domain namespace (like _spf) has sufficiently explained to me how they're going to address the wildcard problem.


What's the problem? If a a "special" sub-domain namespace (like _spf) is used, there's still something in the result that indicates whether it's an SPF record or not.


So let's say that all SPF TXT records start with "_spf", like "_spf.example.com". Now let's say that I've got a domain that has names like "mail1.sales.example.com", "mail2.sales.example.com", "unix.support.example.com", "mail.marketing.example.com", and that's what a recipient will be using for the SPF lookup.

You've created a record for each of them. Create another record for each of them. This is utterly trivial. Each can simply be a reference to another domain holding the actual SPF record 'guts'.

So I want an SPF record that will match "*.sales.example.com". How do I make such a record? I can't use "_spf.sales.example.com", because that won't match "mail1.sales.example.com". I can't use "_spf.*.sales.example.com", because as far as I know the DNS will only match wildcards if they are the left-most component of the domain name. So I either have to put in individual records, or I have to depend on the receiver to work their way up the tree and do queries for "_spf.mail1.sales.example.com", and if that fails use "_spf.sales.example.com", and if that failes use "_spf.example.com" (and probably not try "_spf.com" if that fails, eh?).

Boy is this exquisitely Rube Goldberg.

That stinks. We've got a wildcard mechanism in the DNS for a reason. I'd rather not see us have to hack around it to get the same effect. And I have yet to hear a satisfactory response to the issue.

Done.


pr