On Sunday 05 September 2004 5:01 pm, Mark Lentczner wrote:
Usually, the use of the wild-card record is to say "-all" for anything
in a subdomain, and hence this record is would not be the same as the
domain's record:
with prefix:
_prefix.example.com IN SPF2 "spf2.0/pra +mx +a -all"
*.example.com IN SPF2 "spf2.0/pra -all"
without prefix:
example.com IN SPF2 "spf2.0/pra +mx +a -all"
*.example.com IN SPF2 "spf2.0/pra -all"
This is not a valid use of DNS wildcards, assuming I understand the problem
you are trying to solve.
In your example, "*.example.com IN SPF2 "spf2.0/pra -all", would only match
names in example.com that do not exist (actually, the matching behavior is a
bit more subtle that that). But, as has been pointed out on this list more
than once, saying "-all" for non-existent names is unnecessary.
What I think you are really after is to put a "-all" SPF2 record for every
(other) existing A, AAAA, and MX record. There is no convenient DNS
construct for this behavior.
The actual text from the current draft is:
"Sender-ID compliant sites MUST use DNS recursive servers that support
EDNS0 [RFC2671] and [RFC3226] in order to be able to receive large DNS
RR sets."
This text, including the reference to RFC3226, came directly from
Ólafur of DNS-EXT.
I have a hard time seeing how using EDNS0 rises to the level of MUST. Since
querying for and publishing SPF2 or TXT records will not, in the typical
case, cause truncation without EDNS0, this should be a SHOULD, not a MUST.
That is, using EDNS0 is a good idea, but hardly a requirement.
--
David Blacka <davidb(_at_)verisignlabs(_dot_)com>
Sr. Engineer Verisign Applied Research