ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: consensus call of RR prefix

2004-09-08 13:21:50
from [Mark Lentczner] [Permanent Link] 

On Sunday 05 September 2004 5:01 pm, Mark Lentczner wrote:

Usually, the use of the wild-card record is to say "-all" for anything
in a subdomain, and hence this record is would not be the same as the
domain's record:

        with prefix:
        _prefix.example.com IN SPF2 "spf2.0/pra +mx +a -all"
        *.example.com       IN SPF2 "spf2.0/pra -all"

        without prefix:
        example.com         IN SPF2 "spf2.0/pra +mx +a -all"
        *.example.com       IN SPF2 "spf2.0/pra -all"


On Sep 6, 2004, at 7:34 PM, David Blacka wrote:
This is not a valid use of DNS wildcards, assuming I understand the problem 
you are trying to solve.
I'm not sure what you mean by 'valid' here -- certainly the domain file is legal and works.
In your example, "*.example.com IN SPF2 "spf2.0/pra -all", would only match names in example.com that do not exist (actually, the matching behavior is a bit more subtle that that). But, as has been pointed out on this list more 
than once, saying "-all" for non-existent names is unnecessary.
The use of the wildcard with -all is an attempt to catch all e-mail which someone might send with forged malicious intermediate names: 

        joe(_at_)random-host(_dot_)example(_dot_)com
It has been claimed that MTA software is generally configured to reject e-mail that comes from a domain that doesn't exist. While this is true at my site, I have seen no stats to back the claim up. Unless the numbers were very high (>95%), I'm not sure relying on other people's MTAs to catch this for one's domain is a good idea.
Nonetheless, many sites have wildcard MX records so that they can catch mail sent to any address. This means that they want to receive mail, not matter how it is addressed within their domain, but they don't authorize sending with such addresses. In theses cases, all domains exist (due to the wildcard MX record), and so other people's MTAs won't reject based on domain non-existance.
What I think you are really after is to put a "-all" SPF2 record for every 
(other) existing A, AAAA, and MX record.  There is no convenient DNS
construct for this behavior.

One needs to do this as well.

        - Mark
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: consensus call on pra/mailfrom deployment and versioning/scope, wayne
Next by Date:  Re: TECH-OMISSION (-protocol): Partial IPs with CIDRs allowed?, Mark Lentczner
Previous by Thread:  Re: consensus call of RR prefix, David Blacka
Next by Thread:  Re: consensus call of RR prefix, David Blacka
Indexes:  [Date] [Thread] [Top] [All Lists]