On Fri, 14 Jan 2005, Alex van den Bogaerdt wrote:
On Fri, Jan 14, 2005 at 07:33:56AM -0800, william(at)elan.net wrote:
Now as far as proposal:
1. We do it the right way and propose dns extension for '**' wildcards
which are matched for existing hosts that do not specifically have
certain RR (in our case we care about SPF and TXT RRs)
2. We specify that if there was NODATA/NOERROR response and the same
dns response contained AUTHORITY section with SOA then spf client
SHOULD manually try to check for '**' record at the root of that
authority zone (as found in SOA).
I take it you mean (1) _or_ (2), not (1) _and_ (2) ?
No, I mean (1) AND (2).
They compliment each other - if DNS server already knows about '**'
wildcard and can synthesize the answer, it will then return correct
SPF record and spf client would never need to lookup '**' wildcard.
So for all those cases where spf client would at first find answer
at '**' at zonecut (which requires extra dns lookup), the same
lookups would no longer happen once dns server is updated.
Also by only using SOA data in AUTHORITY section if it was already present
from original DNS lookup we remove complex algorithm that is necessary
for clients to implement to actually locate this zonecut (which requires
additional 1 or more dns lookups), this is good for implementors and good
because number of dns lookups that are necessary are fixed.
The bad thing is that it hits those who are purposely not publishing SPF
records - they end up seeing two dns lookups (although in theory it would
be possible to add a feature to dns server to not return soa in authority
which would stop that).
I have done survey yesterday and found that all of the dns servers that
have at least 0.1% share provide AUTHORITY section for NODATA. John Levine
noted that while that may be true, the djb caching-only server will not
provide AUTHORITY section. So I recognize that means above algorithm will
not work 100% of the time but even without it because in 95%+ of the places
What happens when you ask for the SOA or NS record specifically?
Will djb caching-only server return the zone cut in that case ?
Don't know and I don't run djb on any of my systems to test it.
Perhaps somebody else here could help us out...
Also DNS folks are telling us (see namedroppers messages) that looking
up SOA directly is inappropriate (which I happen to disagree with..) because:
1. Direct SOA lookups are not cached
- not quite true, in practice its only not cached for NOERROR
2. By DNS standards SOA MUST be returned only if its actual ZONECUT
and for all other cases its not mandatory.
- in practice most dns servers do return it even if you look up hostname
within zone but not directly zonecut
I want to avoid these disagreements about what is the right way and
right algorithm to find zonecut and specify that if dns server was
nice enough to provide soa in the authroty section (which most servers
do) then spf client should use it, otherwise there are other options
available for dns administrators like using scripts to create spf
records for all hosts.
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
http://www.elan.net/~william/emailsecurity/