http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=472797
The answers you got there appear to be correct - I'm more on
the ignorant side about some DNS isssues, but SPF forced me
to get some basic ideas at least theoretically...
RFC 1464 is not mentioned in the references
the quotes are NOT nessesary (AFAIK)
...and therefore the first thing I did when I read "1464" was
to go to Rfc-editor.org and check its status: experimental,
1993.
OK I know its old and experimental, but there is no other RFC about it so why
don't follow it?
There are no necessary quotes within SPF records, it's
just a way to display strings.
That makes it even worse, is it only for display in this draft or are they for
real?
This can have real concequences when you split the record up in
strings. (Does the second string starts after the 2nd or 3rd ")
The "PermError" rule is NOT mentioned in 4.5 Selecting
records.
Yes, 3.1.1 and 4.5 overlap, and there might be an inconsistency
for the case "both types exist with different content". I had
my own problems with 3.1.1 (essentially I wanted to get rid of
the offending "PermError"). Something's odd there.
What to do if both rules are not identical but they both
exclude or allow the domain in question?
foo.bar.example. IN SPF "v=spf1 +a redirect=more.bar.example"
foo.bar.example. IN TXT "v=spf1 -a redirect=more.bar.example"
Something like that ? Ultimately policies talk about IPs,
not about domains, the a in these examples is a shorthand for
a:foo.bar.example, that again is either A or AAAA depending
on which type of IP you try to match.
And +a is of course clearly different from -a. 3.1.1 says
that this is an error if you see it. 4.5 says "use SPF and
not TXT where possible".
Yes that is also true but I was more thinking about something like:
foo.bar.example. IN SPF "v=spf1 +a -a:more.bar.example ~all"
foo.bar.example. IN TXT "v=spf1 a +a:more.bar.example -all"
same shorthand
(spot the 3 changes)
And you want to test for foo.bar.example
Both allow it but they are NOT identical. What now a PermError or a Pass?
There is a maximum of 64k length for a string in a TXT record
3.1.4 says that you're free (MAY) to ignore anything that does
not work with UDP. Precise limits depend on the TXT or SPF
records (all of them, not only "v=spf1 " records).
If you need more space (huge ISP with lots of CIDRs) you can
"chain" policies with redirect= (see above more.bar.example).
Would it be not better to be able to chain them within one host?