On 5/18/2004 10:30 AM, Pete Resnick sent forth electrons to convey:
On 5/18/04 at 9:55 AM -0700, Matthew Elvey wrote:
On 5/18/2004 9:06 AM, Pete Resnick sent forth electrons to convey:
In terms of using TXT records or not, I think Philip actually misses
the most important issue to me: wildcards. The discussion we were
having yesterday about how to deal with per-user records (and the
general problem of multiple sub-domain names mapping to a single
record) by using wildcards is almost a show-stopper in my mind. And
nobody who has proposed using TXT records with a "special"
sub-domain namespace (like _spf) has sufficiently explained to me
how they're going to address the wildcard problem.
What's the problem? If a a "special" sub-domain namespace (like
_spf) is used, there's still something in the result that indicates
whether it's an SPF record or not.
So let's say that all SPF TXT records start with "_spf", like
"_spf.example.com". Now let's say that I've got a domain that has
names like "mail1.sales.example.com", "mail2.sales.example.com",
"unix.support.example.com", "mail.marketing.example.com", and that's
what a recipient will be using for the SPF lookup.
You've created a record for each of them. Create another record for
each of them. This is utterly trivial. Each can simply be a reference
to another domain holding the actual SPF record 'guts'.
So I want an SPF record that will match "*.sales.example.com". How do
I make such a record? I can't use "_spf.sales.example.com", because
that won't match "mail1.sales.example.com". I can't use
"_spf.*.sales.example.com", because as far as I know the DNS will only
match wildcards if they are the left-most component of the domain
name. So I either have to put in individual records, or I have to
depend on the receiver to work their way up the tree and do queries
for "_spf.mail1.sales.example.com", and if that fails use
"_spf.sales.example.com", and if that failes use "_spf.example.com"
(and probably not try "_spf.com" if that fails, eh?).
Boy is this exquisitely Rube Goldberg.
That stinks. We've got a wildcard mechanism in the DNS for a reason.
I'd rather not see us have to hack around it to get the same effect.
And I have yet to hear a satisfactory response to the issue.
Done.
pr