spf-discuss
[Top] [All Lists]

Re: Zonecuts specified in SPF draft

2005-01-14 09:11:43
On Fri, Jan 14, 2005 at 07:33:56AM -0800, william(at)elan.net wrote:

Now as far as proposal:
 1. We do it the right way and propose dns extension for '**' wildcards
    which are matched for existing hosts that do not specifically have
    certain RR (in our case we care about SPF and TXT RRs)
 2. We specify that if there was NODATA/NOERROR response and the same
    dns response contained AUTHORITY section with SOA then spf client 
    SHOULD manually try to check for '**' record at the root of that 
    authority zone (as found in SOA).

I take it you mean (1) _or_ (2), not (1) _and_ (2) ?

I have done survey yesterday and found that all of the dns servers that 
have at least 0.1% share provide AUTHORITY section for NODATA. John Levine
noted that while that may be true, the djb cashing-only server will not 
                                             ^^^^^^^
:)

provide AUTHORITY section. So I recognize that means above algorithm will 
not work 100% of the time but even without it because in 95%+ of the places

What happens when you ask for the SOA or NS record specifically?
Will djb caching-only server return the zone cut in that case ?

Pseudo code, no error checking and such:

result=resolve(SPF,domain)
if (result->status == no_record) {
   if (result->authority == none) {
      result=resolve(SOA,domain)
      if (result->status == no_record {
#ifdef option1
         return NULL
#else
         return PermErr
#endif
      }
   }
   domain=result->domain    // zone cut found
   result=resolve(SPF,domain)
}
// spf record available, or not present (NULL)
return result->record


<Prev in Thread] Current Thread [Next in Thread>