Re: Forking SPF into The New SPF and SPF1

I can imagine an ugly hack to get around this.

Break things into smaller pieces manually, or with a script, and use a 
convention to make 'linked lists'.

e.g.:

_spf_000.karl.com = 'spfv9 blah blah blah'
_spf_001.karl.com = 'more blah blah'
_spf_002.karl.com = 'still more blah'
_spf_003.karl.com = 'final blah 9vfps'   # reversed version indicates end

It's not pretty, but it would allow things to remain in UDP, if the 
SPF library did multiple UDP lookups.

On Tue, 8 Jun 2004, Teddy wrote:

> Thanks for the specs. But even if a firewall SHOULD route TCP on port 53 
> there are lots of firewalls where only UDP port 53 is opened. If you 
> call this "broken" or not or if it is the admins error or not is not 
> relevant.
>
> Teddy
>
> Theo Van Dinter wrote:
> > On Mon, Jun 07, 2004 at 02:27:10PM -0700, Michel Py wrote:
> >
> > > I wrote "queries", not "transfers". To begin with, I looked at customers
> > > access-lists this morning WRT DNS and I have not found a single one that
> > > allowed DNS over TCP except for a little number of other DNS servers
> > > that are known to transfer zones with the DNS server protected by the
> >
> > So all of their firewalls are broken.  Gotcha. :)
> >
> >
> > > have to explain me how you do that. At this point in time DNS queries
> > > over TCP are not an option because a) they are largely untested and b)
> > > they are blocked by almost every access-list in the world.
> >
> > Says you.  To me, it sounds like the admin doesn't know DNS does UDP
> > and TCP.  (to note: every firewall I've ever setup or taken over supports
> > UDP and TCP, and all firewall appliances I've seen understand both should
> > be allowed when you say "service dns"...)
> >
> >
> > > Note that it says permit udp, not permit tcp or permit ip.
> >
> > Then they're broken IMHO.  The RFC is very clear that TCP is going
> > to happen sometimes, although it technically only specifies that
> > servers/clients "SHOULD" do TCP if the UDP response is truncated:
> >
> > http://www.faqs.org/rfcs/rfc1123.html
> >          6.1.3.2  Transport Protocols
> >
> >             DNS resolvers and recursive servers MUST support UDP, and
> >             SHOULD support TCP, for sending (non-zone-transfer) queries.
> >             Specifically, a DNS resolver or server that is sending a
> >             non-zone-transfer query MUST send a UDP query first.  If the
> >             Answer section of the response is truncated and if the
> >             requester supports TCP, it SHOULD try the query again using
> >             TCP.
> > [... snipped very nice discussion section ...]
> >                  However, it is also clear that some new DNS record
> >                  types defined in the future will contain information
> >                  exceeding the 512 byte limit that applies to UDP, and
> >                  hence will require TCP.  Thus, resolvers and name
> >                  servers should implement TCP services as a backup to
> >                  UDP today, with the knowledge that they will require
> >                  the TCP service in the future.
> >
> >
> >
> > http://www.faqs.org/rfcs/rfc1035.html
> > 4.2. Transport
> >
> > The DNS assumes that messages will be transmitted as datagrams or in a
> > byte stream carried by a virtual circuit.  While virtual circuits can be
> > used for any DNS activity, datagrams are preferred for queries due to
> > their lower overhead and better performance.  Zone refresh activities
> > must use virtual circuits because of the need for reliable transfer.
> >
> > The Internet supports name server access using TCP [RFC-793] on server
> > port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
> > port 53 (decimal).
> >
> > 4.2.1. UDP usage
> >
> > Messages sent using UDP user server port 53 (decimal).
> >
> > Messages carried by UDP are restricted to 512 bytes (not counting the IP
> > or UDP headers).  Longer messages are truncated and the TC bit is set in
> > the header.
> >
> >
> > http://www.faqs.org/rfcs/rfc1912.html
> >    [...] You also run the risk of overflowing the 512- byte limit of a
> >    UDP packet in the response to an NS query.  If this happens, resolvers
> >    will "fall back" to using TCP requests, resulting in increased load
> >    on your nameserver.
> -- 
> Teddy's Computerworld      http://www.teddy.ch/
> Himmelrainweg 2            mailto:teddy(_at_)teddy(_dot_)ch
> 4450 Sissach               076 383 80 60
>
> -------
> Sender Policy Framework: http://spf.pobox.com/
> Archives at http://archives.listbox.com/spf-discuss/current/
> To unsubscribe, change your address, or temporarily deactivate your 
> subscription, 
> please go to 
> http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com