On Wednesday 08 September 2004 4:21 pm, Mark Lentczner wrote:
On Sunday 05 September 2004 5:01 pm, Mark Lentczner wrote:
Usually, the use of the wild-card record is to say "-all" for anything
in a subdomain, and hence this record is would not be the same as the
domain's record:
with prefix:
_prefix.example.com IN SPF2 "spf2.0/pra +mx +a -all"
*.example.com IN SPF2 "spf2.0/pra -all"
without prefix:
example.com IN SPF2 "spf2.0/pra +mx +a -all"
*.example.com IN SPF2 "spf2.0/pra -all"
On Sep 6, 2004, at 7:34 PM, David Blacka wrote:
This is not a valid use of DNS wildcards, assuming I understand the
problem
you are trying to solve.
I'm not sure what you mean by 'valid' here -- certainly the domain file
is legal and works.
I meant that it wouldn't work as I thought you were describing it, not that it
wouldn't load.
In your example, "*.example.com IN SPF2 "spf2.0/pra -all", would only
match
names in example.com that do not exist (actually, the matching
behavior is a
bit more subtle that that). But, as has been pointed out on this list
more
than once, saying "-all" for non-existent names is unnecessary.
The use of the wildcard with -all is an attempt to catch all e-mail
which someone might send with forged malicious intermediate names:
joe(_at_)random-host(_dot_)example(_dot_)com
It has been claimed that MTA software is generally configured to reject
e-mail that comes from a domain that doesn't exist. While this is true
at my site, I have seen no stats to back the claim up. Unless the
numbers were very high (>95%), I'm not sure relying on other people's
MTAs to catch this for one's domain is a good idea.
Well, you are relying on them to do the Sender-ID check, right?
Nonetheless, many sites have wildcard MX records so that they can catch
mail sent to any address. This means that they want to receive mail,
not matter how it is addressed within their domain, but they don't
authorize sending with such addresses. In theses cases, all domains
exist (due to the wildcard MX record), and so other people's MTAs won't
reject based on domain non-existance.
This wasn't the case that you were describing (as I read it, anyway). This is
a case where a wildcard SPF2 or TXT record *would* work.
What I think you are really after is to put a "-all" SPF2 record for
every
(other) existing A, AAAA, and MX record. There is no convenient DNS
construct for this behavior.
One needs to do this as well.
You would need to put a wildcard "-all" record below each existing name in
your zone as well (except delegations). Again, if I understand your problem
correctly.
For the record, I think that RECOMMENDING that people publish wildcard "-all"
records (in the absence of a wildcard MX) is not a good idea at all.
--
David Blacka <davidb(_at_)verisignlabs(_dot_)com>
Sr. Engineer VeriSign Applied Research