In <0108D91F-6D90-11D8-9D34-00039358205C(_at_)omniti(_dot_)com> Theo
Schlossnagle <jesus(_at_)omniti(_dot_)com> writes:
On Mar 3, 2004, at 9:36 PM, wayne wrote:
One of the things that is on my TODO list for libspf-alt is to use
the res_findzonecut function to find the zone cut and look for SPF
records there.
I suggestion that this is the "best" way to handle this missing SPF
records for subdomains.
Doesn't this still suffer from a malicious person making their deeply
nested domain name appear to have zonecuts at every dot? It seems
simple enough to do (just adding NS records at each level.
Yes, a malicious person could create lots of NS in a deeply nested
subdomain. But then, they can do that anyway. Since res_findzonecut
uses the same algorithm as is used in bind, this will be no slower
than looking up the A record for that malicious domain.
Using res_findzonecut doesn't create any new problems, and it gives a
well-established method of locating a default SPF record.
-wayne