spf-discuss
[Top] [All Lists]

Re: The demon problem, ancestor matching, and match_subdomains=yes

2004-03-24 05:50:26
On Mon, Mar 22, 2004 at 11:44:47PM -0800, Greg Connor wrote:

Yes, this is the approach I have advocated.  What you described is
almost the same as what the res_findzonecut() function does.  It is
basically the same algorithm that is used for DNSSEC and what is used
internally in Bind.  The only major different that I noted is that SOA
records are, sadly, optional, so you may be forced to walk up the DNS
tree until you find authorative nameservers.  (Which, again, is what
Bind does.)


Wait a second, in what way are SOA records optional?  This is a new one on 
me...

SOA records are not optional.  In the bind source, a subroutine expects
to find a complementary soa record so to speak.

Not the SOA record itself was optional, inclusion of the SOA record in
this reply was.

Example: ask for SOA record on ergens.op.het.net, receive SOA record
for het.net

Alex