Another common misunderstanding of DNS wildcards:
Yet another misunderstanding of DNS wildcards:
Given...
*.example.com TXT "blah"
foo.bar.example.com A 192.0.2.1
...people might think that the wildcard will synthesize...
bar.example.com TXT "blah"
..and...
gold.bar.example.com TXT "blah".
This is, however, not always true.
Sure. That's why I've proposed before:
Let's place SPF data into "spfv1" sub domain.
This way DNS software can be modified to answer all unknown
"spfv1.<anything>.domain.tld" queries with default SPF record "v=spfv1
-all".
But I would like to add one more note:
There is no needs for wildcard SPF records !!
This is possible to send single DNS request for multiple record types and
domains. (RFC 1035 Sect. 4.1.2. "QDCOUNT (usually 1)" -
but in our case it will be 4)
IMHO, Current SPF checkers do not benefit from this DNS feature.
It can be possible to create single request for TXT, A, MX, AAAA record types.
QDCOUNT = 4
{
QNAME = domain.example.com
QTYPE = A
QCLASS = IN,
QNAME = domain.example.com
QTYPE = MX
QCLASS = IN,
QNAME = domain.example.com
QTYPE = AAAA
QCLASS = IN,
QNAME = spfv1.domain.example.com
QTYPE = TXT
QCLASS = IN}
Taking in account message compression (RFC 1035 Sect. 4.1.4.) size of request
will be extremely small.
Take a look on TXT record question then sub-domain used. It will looks like:
QNAME = [5]"spfv1"<two octet pointer to domain.example.com>
QTYPE = TXT
QCLASS = IN}
This is almost the same as having own RR type:
QNAME = <two octet pointer to domain.example.com>
QTYPE = SPF_RECORD_TYPE
QCLASS = IN}
So ? It's trivial to understand how SPF validation must be performed. Here is
an chart:
Found ?
A/MX/AAAA TXT
Yes Yes SPF can perform SPF record validation.
We are lucky ! We already have answer for
most common A/MX questions.
No Yes How this can be possible ??
SPF record validation can be optional.
But most-likely this is forgery.
Yes No SPF status = None
No No Clearly forgery
This multiple RR types request will works well for most of unknown
domain/hostnames.
As well using single request will increase overall DNS responsibility and
decrease traffic/workload.
Unfortunately this require TXT records to be small for entire A/MX/AAAA/TXT
answer fit in 512 bytes UDP.
Summary: subdomain for SPF is a must !! This will simplify migration to own SPF
RR type.
-------
Andriy G. Tereshchenko
Odessa, Ukraine