On Fri, Jan 14, 2005 at 07:33:56AM -0800, william(at)elan.net wrote:
Now as far as proposal:
1. We do it the right way and propose dns extension for '**' wildcards
which are matched for existing hosts that do not specifically have
certain RR (in our case we care about SPF and TXT RRs)
2. We specify that if there was NODATA/NOERROR response and the same
dns response contained AUTHORITY section with SOA then spf client
SHOULD manually try to check for '**' record at the root of that
authority zone (as found in SOA).
I take it you mean (1) _or_ (2), not (1) _and_ (2) ?
I have done survey yesterday and found that all of the dns servers that
have at least 0.1% share provide AUTHORITY section for NODATA. John Levine
noted that while that may be true, the djb cashing-only server will not
^^^^^^^
:)
provide AUTHORITY section. So I recognize that means above algorithm will
not work 100% of the time but even without it because in 95%+ of the places
What happens when you ask for the SOA or NS record specifically?
Will djb caching-only server return the zone cut in that case ?
Pseudo code, no error checking and such:
result=resolve(SPF,domain)
if (result->status == no_record) {
if (result->authority == none) {
result=resolve(SOA,domain)
if (result->status == no_record {
#ifdef option1
return NULL
#else
return PermErr
#endif
}
}
domain=result->domain // zone cut found
result=resolve(SPF,domain)
}
// spf record available, or not present (NULL)
return result->record