spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: New DNS record issue.

2004-01-13 09:44:39
from [Mark Lentczner] [Permanent Link]
I think we all agree that the _spf.domain.com is a technically cleaner solution that provides quite a number of benefits. But, the decision to not use _spf has much more to do with the landscape of DNS today and the ability to deploy SPF. 


the delta between "_spf." and "" becomes significant.

It becomes significant if you start colliding with other records.
Well, there really aren't others. The TXT records published by the few domains that people have held up as counter examples, aren't really a problem: They don't even come close to being confused with an SPF record. (None start with "v=spf", or even "v=" for that matter.) It is true that SPF records could be confused with the intended purpose of those other few TXT records, but, as far as we've seen, they are only used for human sys. admin. viewing.
In effect what you are saying here is that SPF is going to be so important that it can in effect claim TXT for exclusive use.
Yes. (Or at least, at the top level of a domain, and there is the "v=" convention to allow other uses...)
Nobody really cares. Besides, it's due to that kind of thinking that some DNS providers won't let you do underscores. It's easier to talk them into TXT.
If nobody cares lets do it my way. I care rather a lot. The DNS infrastructure is something we care rather a lot about.
You misunderstood Meng: Nobody really cares that upon careful reading of the RFCs, underscore DNS names are legal as long as they are not host names. In this case, the nobodies are some DNS service providers, and some DNS software authors. As a consequence, for many domain owners, they are unable to publish an SPF record under a DNS name with an underscore without changing their DNS provider and/or DNS software.
(Note: DNS software in this case is more than just the DNS server itself. It is also the entire administration chain from web based interfaces to configuration files. We've seen that, alas, any software along this chain that made the mistake of limiting DNS names to the more restrictive host names, breaks the ability to publish under the _spf domain.)
Yes - we all care about the DNS infrastructure a lot. Alas, there is so much of it already deployed, and so much of it was designed in very different internet environment with very different set of assumptions, that it is tricky to extend in a way that is deployable. I'm sad DNS doesn't have a built-in decentralized extension mechanism. (Why not have: "foo IN EXT type=com.pobox.spf, text="+mx +ptr -all", and allow queries to restrict the range of EXT records based on prefix matching of the type so as to limit the amount of returned data?) But, alas, DNS was designed in an era where every byte was expensive, and software update across the whole infrastructure was a reasonable idea.
Remember that we also want to be able to use the TXT record to do other stuff ourselves...
Yes, TXT records need an extension mechanism. Assuming that any other project that decides to publish information via TXT records comes to the same conclusions that SPF does, they'll want to put their TXT record directly in the domain. SPF has started the convention of starting such records with "v=". This way, other systems could use it "v=ipsec", etc.... This is a little better than just starting the record "spf" and "ipsec" as it reduces the chance of collision with previously existing, mostly for human consumption, TXT records.
Note that some of your examples, notably Receiver Info, can done by extending SPF. SPF was designed so that the information it asserts about mail from the domain can be extended. I can easily imagine "v=spf +mx +domainkey -all", someone just needs write RFC for the 'domainkey' mechanism.
[on implementation] Otherwise you have to start looking at the content of the record which is a bit more complex.
Since you have to look at the SPF record content to do anything with it (its mere presence doesn't tell you anything useful), having to compare the start of returned TXT records with "v=spf " isn't a difficult, or expensive, programming problem, especially in a scripting language. 

- Mark

Mark Lentczner
http://www.ozonehouse.com/mark/

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: the inevitability of SRS, Roy Badami
Next by Date:  Re: New DNS record issue., Wechsler
Previous by Thread:  Re: New DNS record issue., Greg Connor
Next by Thread:  Re: New DNS record issue., Wechsler
Indexes:  [Date] [Thread] [Top] [All Lists]