At 14:56 -0500 6/14/04, wayne wrote:
You snipped off the first sentence in that paragraph:
# In unusual situations, directives may require additional DNS records.
I guess I had left that off because it didn't make sense to me. The
following part of your note does clarify it - perhaps including the
example in the draft would help.
If, for example, you are hotmail and your list of outgoing IP
addresses is too large to fit in a single 512B UDP DNS packet, you
should split the information into two (or more) records. These
additional records need to be placed somewhere, and the SPF spec
recommends a spot for them.
The vast majority of domains won't need to do this. This doesn't have
anything to do with looking two differen places for stuff, the first
spot will direct you to whatever the second place is that you need to
look.
In that case, why not just rely on the DNS RR set, putting multiple
RR's in the same location? You'd have to define how to
reassemble/combine them.
...
In response to the thought of multiple TXT RR's...
I have investigated this issue some, and from what I can tell, this
doesn't happen.
Looking at the first item in this reply, perhaps it would be
something to pursue. 'Course, I'm not a fan of using the TXT record,
but looking on one place and getting many is preferable to having to
"chain" lookups to get more.
I don't think this paragraph is very clear, but the idea is that you
would never cross a zone cut boundary, there is no parent/child zone
cut involved. If workstation.example.com is in a *dfferent* zone cut
than example.com (e.g. it has been delegated), then it would not be
allowed to use an SPF record from example.com for
workstation.example.com.
Okay - I tripped over the mixture of "parent domain" and the zone cut.
Section 4.4:
# 4.4 "a"
Does this cover IP4 and IP6?
Yes. See section 4.3:
# If the SMTP connection is IPv6, read "AAAA lookup" for "A lookup",
# except where "A" lookups are explicitly specified.
In section 4.8, you mention "A" lookup. Is AAAA explicitly not done
in that case?
While looking at that I noticed I marked up 4.6 (but didn't dog ear
it). It says "Check all validated hostnames ... If any do ..."
Instead of checking all, why not check until one is found that
satisfies the condition?
The problem is with using malicoius SPF record such as:
v=spf1 a:%{t}.victim.com a:%{t}.victim.com a:%{t}.victim.com ..."
Such a SPF record could be used for DoS attacks. There is no good
reason to use the timestamp as part of an SPF mechanism, and if each
evaluation of %{t} is different, it will create a different DNS
lookup.
I see. I guess I never say anything that explained the "t" other
than the definition as equaling the current time stamp and then the
warning about it's impact on DNS. Maybe it would be clear to show an
example or explain a "positive" use for the macro.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-703-227-9854
ARIN Research Engineer
"I can't go to Miami. I'm expecting calls from telemarketers." -
Grandpa Simpson.