On Fri, 14 Jan 2005, Julian Mehnle wrote:
Now as far as proposal:
1. We do it the right way and propose dns extension for '**' wildcards
which are matched for existing hosts that do not specifically have
certain RR (in our case we care about SPF and TXT RRs)
2. We specify that if there was NODATA/NOERROR response and the same
dns response contained AUTHORITY section with SOA then spf client
SHOULD manually try to check for '**' record at the root of that
authority zone (as found in SOA).
I guess you mean "try to check for SPF record at the root of that
authority zone", right?
No check SPF record at '**' hostname from the root of the authority zone.
There is no way in DNS to explicitly check for wildcard records, be it
"*" or "**". (I'd actually name it "*!" instead of "**", BTW.)
Where did you get this idea? Its absolutly correct way to check if DNS
zone has wildcard record by directly looking it up and DNS server MUST
respond by proving that record.
This is exactly what some (bind) did when Verisign started abusing .COM
and added wildcard to it - they did 'A' lookup for "*.com" and then started
answering with NXDOMAIN for when they received same response for a domain.
Are you aware that your proposal actually implies acknowledging the
current client-side zone cut defaulting algorithm, albeit formally just as
a fallback? ;-)
That is exactly its purpose. This is similar to what was proposed by Ted
Hardie at MARID meeting to get around problems and delays with deployment
of new RR (use TXT temporarily and get new RR and provide recommendation
for clients to check for both but use only data in SPF). Same way we
temporarily do extra lookup direct for wildcard record from the client
but over the time as dns servers are updated, it is no longer necessary.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net