On Sun, Nov 30, 2003 at 12:08:21 -0500, Meng Weng Wong wrote:
On Sun, Nov 30, 2003 at 12:50:32PM +0100, Philipp Morger wrote:
|
| IMHO it's quite a shame that in a new RFC IPv6 has to struggle
| with IPv4 - remember, RFCs sometimes get quite old, so in 20 years when
| IPv4 is just a page in the history books, you might still have this RFC
| in place and I also want to point out, that once this dns records are in
| place, it would take the same effort to upgrade those records to a new
| version. So IMHO it's quite bad to mix v4 and v6 and the thought in me
| came up that: I mean look at it: ::1//128 - anybody who is in the network
| field must ask himself - what where thoses guys thinking?
|
These are good criticisms. Could you suggest a better syntax for the
following mechanisms?
a
mx
ip4
ip6
thanks
OK... I give it a shot...
--------
5.2 'a'
This mechanism matches if the <sending-host> is one of the
<target-name>'s IP addresses.
A = 'a' [ ':' domain-spec ] [ dual-cidr-length ]
The <sending-host> is compared to the IP address(es) of the
<target-name>. If any address matches, the mechanism matches.
----
first of all, I would introduce a method called 'aaaa', with that any
dual-cidr-length
would no longer be needed, as you can have it as follows
a:dominion.ch/29, aaaa:dominion.ch/48
--------
5.3 'mx'
This mechanism matches if the <sending-host> is one of the MX hosts
for a domain name.
MX = 'mx' [ ':' domain-spec ] [ dual-cidr-length ]
SPF clients first perform an MX lookup on the <target-name>. SPF
clients then perform an A lookup on each MX name returned, in order
of MX priority. The <sending-host> is compared to each returned IP
address. If any address matches, the mechanism matches.
----
I don't seed the need for any cidr at all - because I can it say as follows
mx:dominion.ch, ip4:192.168.1.0/24, aaaa:dolphins.ch/32,
ptr:someotherhost.example.com
That would allow all MXs for dominion.ch, all hosts in 192.168.1.0/24, the
whole IPv6 range
of dolphins.ch and the otherhost.example.com
--------
5.5 'ip4' and 'ip6'
These mechanisms test if the <sending-host> falls into a given IP
network.
IP4 = 'ip4' ':' ipv4-network [ ip4-cidr-length ]
IP6 = 'ip6' ':' ipv6-network [ '/' ip6-cidr-length ]
ip4-cidr-length = [ '/' 1*DIGIT ]
ip6-cidr-length = [ '/' 1*DIGIT ]
The <sending-host> is compared to the given network. If they match,
the mechanism matches.
----
I don't think this section needs any change... I can only assume that this
IP4 = 'ip4' ':' ipv4-network [ ip4-cidr-length ]
should look like this:
IP4 = 'ip4' ':' ipv4-network [ '/' ip4-cidr-length ]
--------
To make it short:
A = 'a' [ ':' domain-spec ] [ ip4-cidr-length ]
AAAA = 'aaaa' [ ':' domain-spec ] [ ip6-cidr-length ]
MX = 'mx' [ ':' domain-spec ]
PTR = 'ptr' [ ':' domain-spec ]
IP4 = 'ip4' ':' ipv4-network [ ip4-cidr-length ]
IP6 = 'ip6' ':' ipv6-network [ ip6-cidr-length ]
--------
One note for developers, or the RFC-Editor of SPF, it might look obvious but I
want
to point out that there might be a certain "hole" in the ptr mechanism:
assume I know that MTA mta.example.com allows mail from
ptr:backuphost.example.com - when
I enter a PTR for my IP that points to backuphost.example.com then I'm in.
You have to verify that the IP's PTR also has a matching forward record! (which
in
turn might IMHO an A, AAAA or CNAME record)
my 2c
Philipp
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡