At 03:27 PM 4/4/2004, Nico Kadel-Garcia wrote:
My concern is that we avoid *insisting* on either a valid ptr, or that a
PTR match an A record that in turn matches the PTR. There is a potential
benefit in blocking forgeries that fake PTR records to point to a PTR
permitted hostname and then lie about what their hostname is. That way
lies a nasty, nasty little verification cycle that is inappropriate to
insist be valid. Forward A records matching the PTR records are *not*
required for valid DNS, and should not be required for SPF.
If no verification is to be done on PTR records, then the PTR mechanism
should be removed from SPF. Otherwise SPF records containing ptr will be
targeted because they are easy to forge - all a spammer would have to do is
create a PTR record pointing to the target domain.
If SPF is going to validate a sender based on its PTR record, SPF *must* be
able to trust that PTR record. Without that forward lookup, the ptr
mechanism would be a big, tempting loophole.
Kelson Vibber
SpeedGate Communications <www.speed.net>