Re: The demon problem, ancestor matching, and match_subdomains=yes
2004-03-23 00:44:47
--wayne <wayne(_at_)midwestcs(_dot_)com> wrote:
Yes, this is the approach I have advocated. What you described is
almost the same as what the res_findzonecut() function does. It is
basically the same algorithm that is used for DNSSEC and what is used
internally in Bind. The only major different that I noted is that SOA
records are, sadly, optional, so you may be forced to walk up the DNS
tree until you find authorative nameservers. (Which, again, is what
Bind does.)
Wait a second, in what way are SOA records optional? This is a new one on
me...
3a. If SPF exists for the same label as the SOA, honor it if it says
"match_subdomains=yes"
Personally, I would tend to say that this algorithm should be done
*unless* there is some modifier that says not to. In the vast
majority of cases, this is want people will want to do, and so it
makes sense to make it the default.
My main concern here was for folks who want to implement something for
their top-level domain (like widgets.com) and haven't thought through all
the implications for all the next-level names (like support.widgets.com,
which may be answered from India :) I do like the idea of
one-TXT-to-rule-them all... but we have to be Extra Extra careful to
explain to folks that they should SPF the next-level (longer) domains
first, even if it is ?all.
I am not 100% sure about the extra qualifier "match_subdomains=yes"
BUT it is is a heck of a lot safer. If the SPF record at the SOA
level is assumed to apply to all subdomains, then the rules I might
publish for demon.co.uk would probably affect gconnor.demon.co.uk also
-- you would have to put in SPF for all the exceptions and then we're
back where we started almost.
If you don't want to put in all the exceptions, just start your SPF
record with "include:_spf_ok.%{d}". If there isn't an SPF record at
_spf_ok.gconnor.demon.co.uk, then the SPF check will return Unknown.
This would work too, but I'm still a bit concerned about the inexperienced
admin writing a record that messes up all domains, even domains he is not
intending to cover with SPF yet...
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- The demon problem, ancestor matching, and match_subdomains=yes, Meng Weng Wong
- Re: The demon problem, ancestor matching, and match_subdomains=yes, Alex van den Bogaerdt
- Re: The demon problem, ancestor matching, and match_subdomains=yes, Neil Brown
- Re: The demon problem, ancestor matching, and match_subdomains=yes, Greg Connor
- Re: The demon problem, ancestor matching, and match_subdomains=yes, wayne
- Re: The demon problem, ancestor matching, and match_subdomains=yes,
Greg Connor <=
- Re: The demon problem, ancestor matching, and match_subdomains=yes, wayne
- Re: The demon problem, ancestor matching, and match_subdomains=yes, Alex van den Bogaerdt
- Re: The demon problem, ancestor matching, and match_subdomains=yes, wayne
- Re: The demon problem, ancestor matching, and match_subdomains=yes, Alex van den Bogaerdt
|
|
|