spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE : inherited SPF record

2004-08-05 05:45:19
from [Bourque Daniel] [Permanent Link] 
Stupid question but:


(because some of my domains have hundreds of thousands of hosts)


Are you talking SMTP host that can actively send e-mail on the internet?

How can you control virus spreading in such an environnment?


-----Message d'origine-----
De : owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] De la part de Jeremy 
Kister
Envoyé : 5 août, 2004 03:22
À : spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Objet : [spf-discuss] inherited SPF record


I'm been watching SPF for a while (and dmp even longer), and recently
decided to become a SPF participant; forgive any expressed ignorance.

after reading http://spf.pobox.com/dns.html (creating an SPF record for
every machine in my domain), I started looking for other solutions (because
some of my domains have hundreds of thousands of hosts).  I've been
searching the archives for wildcard SPF records and their implementation,
and ran across
http://open.nlnetlabs.nl/pipermail/nsd-users/2004-January/000167.html, which
answered that question.

I'm wondering if implementations of SPF parsers should traverse up the tree
until it finds a SPF record.  Convincing all domain owners to add an SPF
record to each of their domains is quite a task, but asking each domain
owner to add a SPF record to each host in each domain is futile.

one disadvantage I see is that if we fall through all the way to com (or any
other top level domain), we'd be at the mercy of a possibly shady party.  On
the other hand, this could motivate domain owners to set up their own SPF
records.

another disadvantage could be a DoS, by using a domain name with hundreds of
levels, even given the size limits of RFC2821 4.5.3.1.

checking root would be pointless, and should probably be coded around.

I'd imagine that most administrators would want their SPF record to be
inherited, so I'd propose a "do not inherit" flag, and allow SPF records to
be inherited.

if we added "v=spf1 -all" to example.com, and we got mail from
user(_at_)www(_dot_)bar(_dot_)example(_dot_)com, no SPF record for 
www.bar.example.com. no SPF
record for bar.example.com. SPF record found for example.com -> check if
inheritness is explicitly denied  inheritness allowed, use this SPF record.

I suppose if we traversed up the tree, and found a non-inheritable SPF
record, we'd stop right there, and say there's no SPF record for
www.bar.example.com.


I'm assuming someone thought this was a bad idea, or else I'd already be
implemented... thoughts ?


Jeremy Kister
http://jeremy.kister.net/

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features
SPF and Sender ID. To unsubscribe, change your address, or temporarily
deactivate your subscription, 
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Some statistics, Roger Moser
Next by Date:  Re: RE : inherited SPF record, Michel Bouissou
Previous by Thread:  Some statistics, Roger Moser
Next by Thread:  Re: RE : inherited SPF record, Michel Bouissou
Indexes:  [Date] [Thread] [Top] [All Lists]