On Fri, 14 Jan 2005, Alex van den Bogaerdt wrote:
On Fri, Jan 14, 2005 at 08:53:19PM +0100, Julian Mehnle wrote:
Now, what exactly is the supposed difference between the classic * and the
proposed **/*! again? That the former only applies to non-existent
domains, while the latter also applies to domains that already have some
RR defined for them? Or is there another difference?
The new wildcard applies if the RR does not exist; whether this
is because the domain does not exist or because the node does
not contain the specified RR.
Actually I only wanted if domain exist but has not specified RR. This would
be safer from the prospect of dns design and integration with existing
system (and for SPF lookusp that means that the new wildcard record is
only used if answer is NODATA but not with NXDOMAIN - for which you usually
do not get an AUTHORITY section).
On a related question:
What if **.zonecut.example.org does exist, with an SPF record,
and xyz.abc.zonecut.example.org does exist, with an TXT record (v=spf1)
Should we use the SPF record, or the TXT record ?
In theory I believe SPF should override TXT. And if we're going the road
of standardization of new '**' wildcard then in the future dns servers
will return SPF record directly without extra lookup and client would
never know if it was wildcard or not.
At the same time I suspect that when somebody got TXT answer but not SPF
for given domain, the spf client is not going to bother doing extra lookup
for SPF...
So we might as well warn dns administrator of this and similar cases and
say that if they bothered to enter one type of record, they must either
have the other type of record entered same way (either wildcard or
direct record) or not at all.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net