willemien(_at_)amidatrust(_dot_)com wrote:
http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=472797
The answers you got there appear to be correct - I'm more on
the ignorant side about some DNS isssues, but SPF forced me
to get some basic ideas at least theoretically...
RFC 1464 is not mentioned in the references
the quotes are NOT nessesary (AFAIK)
...and therefore the first thing I did when I read "1464" was
to go to Rfc-editor.org and check its status: experimental,
1993. There are no necessary quotes within SPF records, it's
just a way to display strings.
The "PermError" rule is NOT mentioned in 4.5 Selecting
records.
Yes, 3.1.1 and 4.5 overlap, and there might be an inconsistency
for the case "both types exist with different content". I had
my own problems with 3.1.1 (essentially I wanted to get rid of
the offending "PermError"). Something's odd there.
What to do if both rules are not identical but they both
exclude or allow the domain in question?
foo.bar.example. IN SPF "v=spf1 +a redirect=more.bar.example"
foo.bar.example. IN TXT "v=spf1 -a redirect=more.bar.example"
Something like that ? Ultimately policies talk about IPs,
not about domains, the a in these examples is a shorthand for
a:foo.bar.example, that again is either A or AAAA depending
on which type of IP you try to match.
And +a is of course clearly different from -a. 3.1.1 says
that this is an error if you see it. 4.5 says "use SPF and
not TXT where possible".
There is a maximum of 64k length for a string in a TXT record
3.1.4 says that you're free (MAY) to ignore anything that does
not work with UDP. Precise limits depend on the TXT or SPF
records (all of them, not only "v=spf1 " records).
If you need more space (huge ISP with lots of CIDRs) you can
"chain" policies with redirect= (see above more.bar.example).
Bye, Frank