ietf
[Top] [All Lists]

Re: [spfbis] [dnsext] Obsoleting SPF RRTYPE

2013-04-30 21:12:12

In message <517FF144(_dot_)5040600(_at_)tana(_dot_)it>, Alessandro Vesely 
writes:
On Tue 30/Apr/2013 01:07:42 +0200 Mark Andrews wrote:

    The really annoying thing is that SPF is techically superior
    to TXT is lots of ways.

    1. It uniquely identifies the roll of the record.

    2. As SPF records are singletons you don't need to identify
       and remove the old record when updating.  You can just
       remove all SPF record and add the replacement.

       For TXT you need to lookup the existing RRset, extract
       the v=spf1 record from it.  You then need to create a
       UPDATE message to delete just that record as well as add
       the new TXT record.   You then have to hope that no one
       else is performing a simultanious update as you may get
       two TXT v=spf1 records in the RRset.

That's true, except that one has TXT records anyway.

        nsupdate
        update del example.com SPF
        update add example.com 3600 SPF v=spf1 ....
        send

        txt=`dig +short example.com TXT | \
        sed -n -e '/^"v=spf1 /s/^/update del example.com TXT /p' \
               -e '/^"v=spf1"$/^/update del example.com TXT /p'`
        nsupdate << EOF
        $txt
        update add example.com 3600 TXT v=spf1 ....
        send
        EOF

        But that doesn't work for 'example.com TXT "v" "=" "s" "p" "f" "1"'
        which is a perfectly legal SPF record.

        sed -n -e '/^"v=spf1 /s/^/update del example.com TXT /p' \
               -e '/^"v" "=spf1 /s/^/update del example.com TXT /p' \
               -e '/^"v" "=" "spf1 /s/^/update del example.com TXT /p' \
               -e '/^"v" "=" "s" "pf1 /s/^/update del example.com TXT /p' \
               -e '/^"v" "=" "s" "p" "f1 /s/^/update del example.com TXT /p' \
               -e '/^"v" "=" "s" "p" "f" "1 /s/^/update del example.com TXT /p' 
\
               -e '/^"v" "=" "s" "p" "f" "1" " /s/^/update del example.com TXT 
/p' \
               -e '/^"v=spf1"$/^/update del example.com TXT /p'`
        
        And keep going because the delete needs the rdata to be a
        perfect match to identify the record to be removed.

        I'm sure I could come up with a more compact way of identifying
        a spf record but it wouldn't be needed if people published type
        SPF.

    The complains about using SPF is that there are broken
p >    firewalls and some servers drop queries for it, some registars
    don't support it.

Nits, as explained below.  The basic fact that killed the SPF type is
the ability to use TXT as a replacement.  There must be an analogous
of Gresham's law:  "Bad types drive out good ones."

    For firewalls, fix/replace the firewall if you intend to
    deploy SPF and it doesn't support it.  It is total !@##@#
    that firewall are incapable of handling new DNS record
    types.  New records we exected to occur from the very
    beginning and have been coming out regularly ever since the
    DNS was invented.  Firewall vendors that are incapable of
    handling new DNS types are incompetent and do not deserve
    repeat business.

    For servers than drop SPF queries they really are at the
    noise level.  When you identify one you complain to the
    owners of it.  Yes, that does work.  We needed to do that
    for AAAA records.

    For registrars, change registrar to one that does.

While it's too late for SPF, we can learn this lesson.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka(_at_)isc(_dot_)org