william(at)elan.net [william(_at_)elan(_dot_)net] wrote:
On Fri, 14 Jan 2005, Julian Mehnle wrote:
I guess you mean "try to check for SPF record at the root of that
authority zone", right?
No check SPF record at '**' hostname from the root of the authority
zone.
Alright, now I actually do understand your proposal, and I think it is a
good idea.
There is no way in DNS to explicitly check for wildcard records, be it
"*" or "**". (I'd actually name it "*!" instead of "**", BTW.)
Where did you get this idea? Its absolutly correct way to check if DNS
zone has wildcard record by directly looking it up and DNS server MUST
respond by proving that record.
I stand corrected. I thought that I had tried it before and that it
didn't work, but I guess I must have done something wrong.
Are you aware that your proposal actually implies acknowledging the
current client-side zone cut defaulting algorithm, albeit formally
just as a fallback? ;-)
That is exactly its purpose. This is similar to what was proposed by Ted
Hardie at MARID meeting to get around problems and delays with
deployment of new RR (use TXT temporarily and get new RR and provide
recommendation for clients to check for both but use only data in SPF).
Same way we temporarily do extra lookup direct for wildcard record from
the client but over the time as dns servers are updated, it is no
longer necessary.
Good. I don't have a problem with transitory measures, but I just wanted
to be sure you really wanted to imply that.
Now, what exactly is the supposed difference between the classic * and the
proposed **/*! again? That the former only applies to non-existent
domains, while the latter also applies to domains that already have some
RR defined for them? Or is there another difference?