spf-discuss
[Top] [All Lists]

Re: DNS Wildcards Myth #1

2004-08-07 16:57:44
My 2 cents on the wildcard subject...

Wildcards don't make it easier to publish SPF records for all your domains. You still need to create TXT records for any sub-domain that has an A or MX record. (The previous examples point out that this doesn't work. If the label exists with some other type, you have to manually add TXT for that label as well. I think the reason is that if you use a wildcard, and it also applies to other labels in the zone, there would no way to override an entry so that there is no TXT returned.)

But, if you *already* use a wildcard for either A or MX, you should have a TXT wildcard record for the same wildcard domain string.

Some folks (in both spf and marid) have proposed using a prefix for SPF data. A prefix would actually work with wildcards but you lose any selectivity. For example, if
 *.domain.com IN A 10.1.2.3
already exists, then you can define
 *.domain.com IN TXT
This would provide the same TXT answer for "whatever.domain.com" and "spfv1.whatever.domain.com" as long as whatever doesn't exist in non-wildcard form.

But, there are other reasons I don't like prefixes. For one, I don't really think there is a problem with conflicts to existing TXT records - even if there are conflicts, the users of other types of TXT records can figure out how to resolve them. Second, if a new RRtype is allocated later, a prefix would not be needed and would actually hinder things in the long run. Using TXT with no prefix now makes it easier to switch later.

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>


<Prev in Thread] Current Thread [Next in Thread>