Nick Phillips wrote:
I think retrieving the key this way is preferable to sticking the
whole thing in DNS. Thoughts?
I would prefer to stick the entire key in DNS, via the DNSSEC KEY RR:
[dtrammell(_at_)zelda:pts/4][2:35pm:75:0][/home/dtrammell]> dig
fw.pyramid.site.leetnet.org key
; <<>> DiG 9.2.2 <<>> fw.pyramid.site.leetnet.org key
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58229
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:
;fw.pyramid.site.leetnet.org. IN KEY
;; ANSWER SECTION:
fw.pyramid.site.leetnet.org. 28482 IN KEY 16896 4 1
AQNv6Bsk87Nxk8yw0HwYE/0Xul/Biw7qQgnK5sV7jwKKjNqM6J3q5tiK
CXUkE/4yo2Wqi1aBaPpmi4492ECXmsE4PL2RFiQawPHlh0IYM1OvNojl
vhkJOxt/+VJW4HbvaHDtse9CH3qGkGc1HGwMmdzl5CHOergMefwbkjY9
Lm/SUQpWNzvhQ9dIH7tLg1ssO+BrzBEfg66ivOUJrG8eu3ECE7IZUnSO
SeDBQZwVTZMVru1dfynKzEQCfu4KQjt5w/ol3ROy9woWRC2yLng77pTy
v3vlwQyy24l+qtac+7oYX4xl5Y65u/AmsMah9PTggIyZaX6HM+nPsIxP NvFlrXIp
Since we're really talking about a new SPF mechanism that I don't think
we can expect 100% adoption on, I don't think it would be much of a
stretch to limit this capability to DNS servers that support the
appropriate RR.
Thoughts?
---
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ë�ù1I�í-»F�qx(_dot_)com