In message
<0c3746c3-dac1-471f-bd07-8faf20481337(_at_)email(_dot_)android(_dot_)com>,
Scott Kitterman writes:
Mark Andrews <marka(_at_)isc(_dot_)org> wrote:
In message
<20130821214832(_dot_)1C92538C0230(_at_)drugs(_dot_)dv(_dot_)isc(_dot_)org>,
Mark Andrews
writes:
It's primarily an issue for applications. To the DNS, it's exactly
what it
is, a TXT record.
I can hand update of A and AAAA records to the machine.
I can hand update of MX records to the mail adminstrator.
I can hand update of SPF records to the mail adminstrator.
I can hand update of TXT records to ??????
No one because it has multiple uses. This is true whether SPF exists or not.
SPF use of RRTYPE TXT for SPF records mak
es that neither better nor worse.
You could publish:
example.com IN TXT v=spf1 redirect=_spf.example.com
_spf.example. com IN TXT v=spf1 [actual content here]
Then delegate _spf.example.com to the mail administrator. Problem solved.
No, it is NOT solved. You have to trust *everyone* with the ability
to update TXT not to remove / alter that record. You can't give someone
you don't trust the ability to update TXT.
With a published SPF record and SPF lookup first stopping on success
or lookup failure (SERVFAIL) you can give update control of TXT to
someone you don't trust enough to not remove / alter the SPF TXT
record.
You keep telling us the TXT is just another record in the DNS. Well
the DNS is managed at the granuality of the TYPE. 4408bis is forcing
sub-type management to be developed and deployed to maintain the
status quo. TXT is no longer "just another record in the DNS" with
4408bis as it currently stands.
And to Google your motto is "Do No Evil". Publishing a TXT SPF record
without publish a SPF SPF record is "Evil" as it encourages other to
do the same.
Mark
Scott K
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org