spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: op=s u b

2004-12-04 18:45:16
from [Frank Ellermann] [Permanent Link] 
Greg Connor wrote:

[ tnx for checking the "s u b" issue, the author of the draft
 "subject tags considered harmful" would be delighted if he
 knew this.  But one member of the IETF rfc822 list wants to
 kill poor old "Re: ", therefore I won't tell them... <beg> ]


I would suggest to stop at any domain that has an SOA but
no TXT v=spf1.


Yes, that's probably better, but the truth is that I don't
understand the CLEAR problem with the "zone cut".  Stephane
used com.fr. as example, and his point was that fr. isn't the
"zone cut".  My simple trick to look at the output of -q=ns
is probably wrong.

For xyzzy.claranet.de, xyzzy.dnsalias.org, xyzzy.webhop.info,
and similar cases -q=ns works, but DNS is partially beyond me,
especially if something is broken.


we could be subject to inappropriate usage by NSI in com. or
net. or CC-NIC in cc., etc.


museum has a wildcard.  -q=ns says museum for jhfhg.museum,
for nic.museum it's like com.fr, so that is apparently the
"zone cut".  For oops.nic.museum -q=ns has nothing, in that
case and below it I'd be forced to cut labels left to right.

But in that case SPF would throw a permerror, therefore it's
irrelevant, or isn't it ?


This means that if your organization has many sub-zones and
delegations, they should put SPF records wherever SOA records
appear.


Oops, yes, that's not yet in Wayne's text IIRC.


If the "sub" property keeps subdomains from being affected,
would it be better to call it op=nosub?


Yes, updated locally, visible tomorrow.  I won't use "unsub",
because it could confuse the list software ;-)


break it up in to two sentences.


Done.  It's about something like this:

          a.example IN SPF "v=spf1 +all"
      sub.a.example IN SPF "v=spf1 op=nosub -all"

If you see HELO mail2.sub.a.example it has no sender policy.

For Wayne's algorithm (RfC 2181) you use a.example and all is
well (as soon as he fixes the %{d} definition in his draft ;-)

For John's algorithm you'd use sub.a.example, and that's very
different from a.example.  But an op=nosub could fix it, the
main draft doesn't allow it, it's only allowed if you respect
op=nosub.

The second sentence was about the same constellation replacing
sub.a.example by soa.a.example:  An implementation with "zone
cut" would use soa.a.example and its -all.  An implementation
respecting op=nosub removing labels left to right would stop
at a.example and +all (too late), therefore op=nosub SHOULD NOT
be used at the "zone cut", its semantics would be unclear.

                           Bye, Frank
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • op=sub, Frank Ellermann
    • Re: op=sub, Greg Connor
      • Re: op=s u b, Frank Ellermann <=
Previous by Date:  Re: ClassMates.com, terry
Next by Date:  Re: Re: RFC 2821 and responsibility for forwarding, Andy Bakun
Previous by Thread:  Re: op=sub, Greg Connor
Next by Thread:  Re: op=s u b, Greg Connor
Indexes:  [Date] [Thread] [Top] [All Lists]