spf-discuss
[Top] [All Lists]

RE: Zonecuts specified in SPF draft

2005-01-14 18:05:28

On Sat, 15 Jan 2005, Julian Mehnle wrote:

Now, what exactly is the supposed difference between the classic *
and the proposed **/*! again?  That the former only applies to
non-existent domains, while the latter also applies to domains that
already have some RR defined for them?  Or is there another
difference?

The new wildcard applies if the RR does not exist; whether this
is because the domain does not exist or because the node does
not contain the specified RR.

Actually I only wanted if domain exist but has not specified RR. This
would be safer from the prospect of dns design and integration with
existing system (and for SPF lookusp that means that the new wildcard
record is only used if answer is NODATA but not with NXDOMAIN - for
which you usually do not get an AUTHORITY section).

This would be inconsistent with the behavior of *, and I fear that would
scare off the IETF DNS guys more than necessary.  If you really want to do
that, then you should at least call it something like + instead of **, to
indicate that it only applies to domains that already exist.

I think it might scare off IETF DNS guys more if we insist on both 
existing and non-existing domains. Personally I'm not against doing
it for both actually.
 
"**" appears to me like "apply to all domains, existent or not, and even
if there is already defined a RR of the same type, i.e. possibly generate
multiple records of the same type".

*  -- apply only to non-existent domains.

+  -- apply only to existent domains for which there is not already a RR
      of the same type.  (If just "+" is not allowed, make that "*=".)

*+ -- apply to non-existent domains and to existent domains for which
      there is not already a RR of the same type.  (formerly *!)

** -- apply to all (non-existent and existent) domains, regardless if
      there is already a RR of the same type.

Not that I want to agree to above (eventhough it might actually be good 
idea) but do you really expect SPF client to check at zonecut for all of 
"+", "*+" and "**" ?

P.S. And are you also forgetting about:

++  -- apply only to existent domains regardless, regardless if there is 
       already a RR of the same type.
 
-- 
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net


<Prev in Thread] Current Thread [Next in Thread>