wayne wrote:
DNS experts on the IETF namedroppers list generally hate the
idea, but I think it has distracted them from complaining
about the use of TXT RRs.
LOL.
advantages of zone cuts are:
* A domain owner can easily put one SPF record in their
zone(s) which will cover all hosts, even those not involved
with email.
IIRC there was a SHOULD to have explicit SPF records for all
FQDNs used in HELO or MAIL FROM (minus wildcard oddities), so
it never was _that_ simple. In Roger's example I'd say that
the domain owner screwed up and forgot this SHOULD.
* Zone cuts allow the domain owner to explicitly say that
non-existent subdomains of their domain should never be
used.
True, and I was a bit surprised when I found Julian's note
about dropping the "zone cut" again. OTOH it's not too bad:
If a spammer forges a FQDN which does not exist at all, then
there won't be a bounce, If the FQDN only "exists" as the
side-effect of a wild card MX, then the domain owner can add
a corresponding wild card SPF. And if it has no MX, then the
owner just doesn't start a smtpd, which also avoids any bogus
bounce.
SPF minus "zone cut" could be a problem for the receiver, not
for the forged FQDN. OTOH it avoids tons of useless DNS "zone
cut" queries, so maybe even receivers like it.
* Many domain owners have *assumed* that publishing an SPF
record at the top of their zone will cover all of their
zone.
Yes. OTOH it was possible to find out that a wild card worked
where the zone cut didn't work, it took me less than 3 months
to get the idea in 2004... ;-)
[disadvantages]
Checking the zone cut will cause the most DNS lookups for
those domain owners that haven't opt-ed in to SPF and, in
effect, requires them to opt-out.
Opt-out of nslookup -q=ns ? That would move the zone cut left
to right tormenting some poor TLD, is that "allowed" ?
More importantly, while RFC2181 describes what a zone cut
*is*, it does not describe how to find one by querying the
DNS.
Last year you vehemently claimed the opposite. Therefore I
tried to find this "obvious" solution, and thought that it
might be nslookup -q=ns. But all attempts to verify this by
direct or indirect questions to some "experts" failed, they
all refuse to discuss the issue. It's a DNS conspiracy. ;-)
The basic problem is that the zone cut has never really been
used for anything important
NS records are important, aren't they ?
there is a lot of badly configured zones out there which will
break if they are used.
What can break ? If there's no nameserver for a domain, then
where do its IPs come from, random generators ? Schroedinger
caches ?
domain owners have published records that don't work well
with zone cut usage.
One real problem with zone cuts is, that your draft defined %d
ambiguously. It's always "the domain of the evaluated record",
only for the zone cut it's not. That's blatantly inconsistent.
The only alternative that has really been suggested is that
SPF records should simply be returned for all hosts
(domains/subdomains with A or MX records).
The left-to-right stuff in CSA could be an alternative, it was
proposed by John Levine in CLEAR. I still have an op=nosub for
an oddity with this approach. CSA has apparently an "explicit"
bit for the same purpose.
Bye, Frank