On Sun, 5 Sep 2004, Mark Lentczner wrote:
Three items to respond to:
[-1-]
On Sep 5, 2004, at 6:33 AM, william(at)elan.net wrote:
-prefix does not solve the wildcard issue
Actually prefix helps wildcard issues and solves at least one of them.
It allows to avoid necessity to enter separate records for both
"example,com" and for "*.example.com" while with prefix one record for
"*.example.com" would suffice and cover both _prefix.example.com and
anything else like _prefix.subdonain.example.com.
Usually, the use of the wild-card record is to say "-all" for anything
in a subdomain, and hence this record is would not be the same as the
domain's record:
That depends on the use of wildcards. When wildcards are used in parallel
with wildcard MX entries, then the SPF record for domain and widlcard
subdomains will most likely be the same.
Different situation is for somebody who just wants to say that there are
no working subdomains under his domain, then "-all" can be used. But do
remember that wildcard will actually not work for any subdomain that is
deligated (i.e. ones that have their own direct "A", "MX" or any other
record) so this might not have much value as I don't think spoofing
non-existing hosts is very common and these can be quickly cought by just
checking if the host actually exists...
with prefix:
_prefix.example.com IN SPF2 "spf2.0/pra +mx +a -all"
*.example.com IN SPF2 "spf2.0/pra -all"
without prefix:
example.com IN SPF2 "spf2.0/pra +mx +a -all"
*.example.com IN SPF2 "spf2.0/pra -all"
I assert that if you have wildcard MX record, then you would actually want
wildcard subdomain record to be exactly the same, see above.
There is no savings and no difference. On rare occasion when you want
the same record, a prefix fails to help:
with prefix:
*.example.com IN SPF2 "spf2.0/pra +mx:mx.example.com -all"
without prefix:
example.com IN SPF2 "spf2.0/pra +mx:mx.example.com -all"
*.example.com IN SPF2 "spf2.0/pra +mx:mx.example.com -all"
It still makes no difference over-the-wire: Only one record would be
ever returned, so this savings is only one administrative entry. Not a
ringing endorsement in my mind.
I agree with above, there is no difference in the wire, the difference is
only that administrator needs to enter one record instead of two.
And yes, this is not very strong reason to do it, but it does mean
that on at least one issue (be it a small one), the prefix does help
with wildcards where as every other issue is exactly the same no
matter if prefix is used or not. So really we should not put any
statement like that "-prefix does not solve the wildcard issue",
as not using prefix does not solve these issues either!
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net