william(at)elan.net [william(_at_)elan(_dot_)net] wrote:
Actually I only wanted if domain exist but has not specified RR.
This would be safer from the prospect of dns design and integration
with existing system (and for SPF lookusp that means that the new
wildcard record is only used if answer is NODATA but not with
NXDOMAIN - for which you usually do not get an AUTHORITY section).
This would be inconsistent with the behavior of *, and I fear that
would scare off the IETF DNS guys more than necessary. If you really
want to do that, then you should at least call it something like +
instead of **, to indicate that it only applies to domains that
already exist.
I think it might scare off IETF DNS guys more if we insist on both
existing and non-existing domains. Personally I'm not against doing it
for both actually.
What have the namedroppers guys been saying about introducing a new
wildcard? Are there any other known use-cases for a new wildcard beyond
SPF zone cut defaulting?
"**" appears to me like "apply to all domains, existent or not, and
even if there is already defined a RR of the same type, i.e. possibly
generate multiple records of the same type".
* -- apply only to non-existent domains.
+ -- apply only to existent domains for which there is not already a
RR of the same type. (If just "+" is not allowed, make that
"*=".)
*+ -- apply to non-existent domains and to existent domains for which
there is not already a RR of the same type. (formerly *!)
** -- apply to all (non-existent and existent) domains, regardless if
there is already a RR of the same type.
Not that I want to agree to above (eventhough it might actually be good
idea) but do you really expect SPF client to check at zonecut for all of
"+", "*+" and "**" ?
No, God forbid!! :-) As I said, I want to introduce no more than one new
wildcard at all costs (and I don't think the IETF guys would accept that
either). We just need to think about which one would be most useful.
P.S. And are you also forgetting about:
++ -- apply only to existent domains regardless, regardless if there is
already a RR of the same type.
Ok, in theory. In reality though, I don't see the point of ++.