RE: DNS Wildcards Myth #1

Another common misunderstanding of DNS wildcards:

Yet another misunderstanding of DNS wildcards:
Given...
        *.example.com TXT "blah"
 foo.bar.example.com A 192.0.2.1
...people might think that the wildcard will synthesize...
  bar.example.com TXT "blah"
..and...
  gold.bar.example.com TXT "blah".
This is, however, not always true.


Sure. That's why I've proposed before:

Let's place SPF data into "spfv1" sub domain.
This way DNS software can be modified to answer all unknown 
"spfv1.<anything>.domain.tld" queries with default SPF record "v=spfv1

-all".

But I would like to add one more note:
There is no needs for wildcard SPF records !! 
This is possible to send single DNS request for multiple record types and 
domains. (RFC 1035 Sect. 4.1.2. "QDCOUNT (usually 1)" -
but in our case it will be 4)

IMHO, Current SPF checkers do not benefit from this DNS feature.

It can be possible to create single request for TXT, A, MX, AAAA record types.
QDCOUNT = 4
{
QNAME = domain.example.com
QTYPE  = A
QCLASS = IN, 

QNAME = domain.example.com
QTYPE  = MX
QCLASS = IN, 

QNAME = domain.example.com
QTYPE  = AAAA
QCLASS = IN, 

QNAME = spfv1.domain.example.com
QTYPE  = TXT
QCLASS = IN}

Taking in account message compression (RFC 1035 Sect. 4.1.4.) size of request 
will be extremely small.

Take a look on TXT record question then sub-domain used. It will looks like:
QNAME = [5]"spfv1"<two octet pointer to domain.example.com>
QTYPE  = TXT
QCLASS = IN}

This is almost the same as having own RR type:
QNAME = <two octet pointer to domain.example.com>
QTYPE  = SPF_RECORD_TYPE
QCLASS = IN}


So ? It's trivial to understand how SPF validation must be performed. Here is 
an chart:

        Found ?    
A/MX/AAAA    TXT 
  Yes             Yes   SPF can perform SPF record validation. 
                              We are lucky ! We already have answer for 
                              most common A/MX questions.
  No               Yes   How this can be possible ?? 
                              SPF record validation can be optional. 
                              But most-likely this is forgery.
  Yes              No    SPF status = None
  No                No    Clearly forgery

This multiple RR types request will works well for most of unknown 
domain/hostnames. 
As well using single request will increase overall DNS responsibility and 
decrease traffic/workload.
Unfortunately this require TXT records to be small for entire A/MX/AAAA/TXT 
answer fit in 512 bytes UDP.

Summary: subdomain for SPF is a must !! This will simplify migration to own SPF 
RR type.
-------
Andriy G. Tereshchenko
Odessa, Ukraine

<Prev in Thread]	Current Thread	[Next in Thread>
RE: DNS Wildcards Myth #1, (continued) RE: DNS Wildcards Myth #1, terry Re: RE: DNS Wildcards Myth #1, Paul Howarth Re: DNS Wildcards Myth #1, Stephane Bortzmeyer DNS Wildcards Myth #1, Roger Moser Re: DNS Wildcards Myth #1, wayne Re: DNS Wildcards Myth #1, william(at)elan.net RE: DNS Wildcards Myth #1, Andriy G. Tereshchenko Re: DNS Wildcards Myth #1, Frank Ellermann RE: DNS Wildcards Myth #1, william(at)elan.net Re: DNS Wildcards Myth #1, Richard Parker RE: DNS Wildcards Myth #1, Andriy G. Tereshchenko <= Re: DNS Wildcards Myth #1, wayne Re: DNS Wildcards Myth #1, Greg Connor Re: Re: inherited SPF record, marc