Re: RE: rr.com and SPF records

Dave,

I certainly don't claim to be a DNS expert, but have lived with managing 
DNS for my company's network for over 10 years.  Naturally, implementation 
choices in DNS environments vary, but in general, I think that most folks 
gate recursion such that it is available for internal network users to use 
for resolving requests and not something one generally enables for the 
world to use.
Perhaps I am not entirely clear on what you are asking or suggesting in 
your message, if so please forgive me.  Put very simply, DNS provides a 
hierarchical distributed system to ask a question and get an answer quickly 
and efficiently for performing such functions as connecting a name to an IP 
address.  While it is not a perfect system, it seems one of the more solid 
and reliable workhorse services used on the Internet.
From end to end the system can look a bit intimidating and somewhat 
overwhelming, but it actually is pretty straight forward and logical once 
one starts working with it.
Perhaps looking at an example where we need to establish a connection to 
FOO.EXAMPLE.TLD might help answer your question (or minimally help me to 
clear up my own confusion about what you are asking).
In our example, client software is going to begin by needing an IP address 
for FOO.EXAMPLE.TLD, which is ultimately obtained in this case via 
something called a resource record (RR) provided from a DNS server which 
has authority for the EXAMPLE.TLD zone.
Your software will need to know how to get to a local DNS server that acts 
as a local DNS resolver.  In a consumer ISP environment, that comes from 
the (generally one or two) DNS Server IPs provided by the consumer's ISP 
which are configured into the customer's operating system during setup or 
later by changing network settings for a customer's client device.
That resolving DNS server will generally be set up by an ISP to provide the 
ISP's customers with recursive queries, such that when requests are made to 
that DNS server, it does the lion's share of the work to discover and send 
an answer back to the requesting software on the customer's client 
device.  That actually works out quite well, because these kinds of 
resolving DNS servers will use caching to retain the answers they discover 
for a period of time (called the time to live or TTL), so others who ask 
the same question can get an answer far more rapidly.
So let's presume for this example that our DNS resolver is at 
10.0.0.10.  Our software poses the question "where is FOO.EXAMPLE.TLD" to 
its configured DNS resolving server.  Under normal circumstances the 
10.0.0.10 DNS server is going to check its cache to see if it already knows 
the answer to this and a few other questions.  To simplify the discussion, 
let us presume that no data exists in the local DNS server's cache.
That being the case, 10.0.0.10 is going to go to the root servers (a well 
known set of DNS servers that are managed by a variety of entities around 
the world and are known to DNS servers generally from a file loaded with 
root IP address and name information that a DNS server checks when it 
starts up) to check for the Start of Authority (SOA) and to get the Name 
Server (NS) records for the ".TLD" zone.
Once 10.0.0.10 has that information, it will then go to the top level 
domain name servers for ".TLD" which it was just provided by the root 
servers to get the SOA and the appropriate NS records for "EXAMPLE.TLD" zone.
Once this is known, 10.0.0.10 will then go to the name servers responsible 
for an authoritative answer for the EXAMPLE.TLD zone to find out the 
address (A) record for "FOO.EXAMPLE.COM".  The A record will provide 
10.0.0.10 the IP address of FOO.EXAMPLE.TLD and that is what will get 
returned to the software on the customer's client device that made the 
original request.
Notice that the elegance of this system is that it is the 10.0.0.10 
customer's DNS resolving server which does most of the work to get the 
answer back to the customer's requesting software, distributing the 
questions over a series of other servers and caching the answers for future 
use as it gets them from various servers along the path to the answer.
Our example above could have just as easily been to request DNS TXT RR 
records for FOO.EXAMPLE.COM, which would then have returned one or more TXT 
records instead of the A record back to 10.0.0.10 which in turn would go 
back to the requesting customer's client device to answer the question posed.
Getting back to your post, I hope I have explained clearly enough so you 
can now see why it is really the local 10.0.0.10 DNS server that needs to 
have the recursion available (RA) bit set on answer to the recursion 
desired (RD) bit set on question for the requesting software on the 
customer's client device, rather than the remote DNS server that provides 
the final authoritative answer.  It is generally in everyone's best 
interests to want the local 10.0.0.10 server to do all that work to 
distribute the processing load required to get the answer to the software 
on the customer's client device.
When you asked about knowing all the sub domains for a domain (I think you 
asked that), this is accomplished via a zone file transfer.  I don't think 
that most folks allow general access to that kind of information unless it 
is for a third party DNS secondary server transfer.  Because the original 
requesting software will know a specific sub domain it may be checking, I 
am a bit confused as to why you would want this available from the remote 
server side.
OTOH, if you are asking does RR.COM cache internally, while I have no 
knowledge to authoritatively answer that question, I would certainly 
imagine they would.  But why would RR.COM be scanning its own DNS TXT 
records unless it was dealing with messages sent from within the RR.COM 
universe?  If you are asking that question, I am still apparently confused.
Most of the time, I am guessing, checking for SPF TXT records will come 
from a remote DNS server looking to verify if such a record exists so as to 
pass information along to an SPF record checking application to perform its 
own SPF processing on an inbound message within its own network.  For that, 
it would use its own caching DNS server's recursive capability.
I think that I have interpreted what you were asking correctly and that 
this helps provide something of an understandable and I hope reasonably 
accurate answer to your question.
Best,

Alan Maitland
WebMaster(_at_)Commerco(_dot_)Net
The Commerce Company - Making Commerce Simple(sm)
http://WWW.Commerco.Com/

At 04:38 PM 3/20/2005, you wrote:

> From: william(at)elan.net
> Date: Sat Mar 19 2005 - 15:27:44 EST
>
> > On Fri, 18 Mar 2005, David MacQuigg wrote:
> >
> > > This is probably a naive question, but please understand, I'm an 
> > electrical
> > > engineer, not a DNS expert. My knowledge of DNS is from Chapter 14 in 
> > TCP/IP
> > > Illustrated, W.R.Stevens.
> > >
> > > As I understand it, DNS provides a "recursive query" capability 
> > whereby one
> > > query to a domain like rr.com will provide an authoritative answer for any
> > > subdomain under rr.com. Even if the DNS server at rr.com doesn't have the
> > > complete DNS records for all its subdomains, they will most likely be in a
> > > local cache, since there will be frequent queries to rr.com for this
> > > information.
> > >
> > > Seems like we should *require* that SPF queries set the RD bit (recursion
> > > desired), and expect that any domain with as complex a setup as rr.com set
> > > the RA bit (recursion available). Then DNS will do the recursion (not some
> > > SPF checking program), and each subdomain will have its own very 
> > simple SPF
> > > record.
> >
> > Your understanding is very much incorrect (and I would recommend reading
> > specific book on DNS rather then general one on TCP/IP if you want to
> > understand DNS).
> I just read some sections from "DNS & BIND", 4th ed.  This is much more 
> detailed, and think Chapter 14 of TCP/IP provides a better summary of the 
> basics we need for this discussion.  Of course, I could be 
> misunderstanding something, and I would like to know if that is the 
> case.  If you could refer me to a specific part of DNS & BIND, or some 
> other reference, I'll be happy to read it.
> > When somebody is talking about DNS server providing
> > recursive capabilities what it means is that when you talk to a dns, that
> > server if it encounters a reference to another server (NS) will do query
> > itself and provide the answer to the client that asked - that is when RD
> > bit is set on request. When its not set or when dns server is not recursive,
> > then its up to the dns client to do proper dns lookup to the listed NS 
> > server.
> This is my understanding also, with the one clarification that the 
> recursive query only works with subdomains.  Instead of the above, I would 
> say "when the client queries a DNS nameserver (NS), and NS doesn't have a 
> current record for one of its subdomains, NS may itself query the 
> nameserver from that subdomain, and provide the answer it gets from the 
> subdomain as a response to the client, thus saving traffic to and from the 
> client."
> > DNS protocol being multi-tier tree can not support providing all subdomains
> > as that would be both a security risk and would lead to serious slow-down
> > in the lookup system.
> This is where I am really puzzled.  It seems the *intent* of the recursive 
> capability in DNS is to speed things up in exactly the scenario we are 
> discussing with rr.com.  Say, for example, rr.com gets 10,000 queries per 
> hour for SPF records from austin.rr.com.  Most likely it will have that 
> information in its cache, and can respond directly without even querying 
> its subdomain.  Even if a query to the subdomain is necessary, it is 
> likely a lot faster than a query from the client to the subdomain.  ( 
> Might even be a server in the same building.)  Having once queried its 
> subdomain, rr.com can now respond to thousands of subsequent queries using 
> only the data in its cache.
> The bigger and more complex the setup under rr.com, the greater the 
> advantage in using the recursive capabilities of DNS itself.  Keep the 
> records in each subdomain very simple, one or two IP addresses, or maybe 
> an IP block, and let the DNS server at rr.com put it all together 
> automatically, in its cached records, using the recursion already 
> available DNS.
> This doesn't take care of the situation where some other domain, not under 
> rr.com, wants to authorize some server under rr.com, but that odd 
> situation is where we actually need SPF to do the recursion using 'include'.
> I'm probably missing something important here, so please explain.
>
> -- Dave
>
> *************************************************************     *
> * David MacQuigg, PhD              * email:  dmq'at'gci-net.com   *  *
> * IC Design Engineer               * phone:  USA 520-721-4583  *  *  *
> * Analog Design Methodologies                                  *  *  *
> *                                  * 9320 East Mikelyn Lane     * * *
> * VRS Consulting, P.C.             * Tucson, Arizona 85710        *
> *************************************************************     *
>
>
> -------
> Sender Policy Framework: http://spf.pobox.com/
> Archives at http://archives.listbox.com/spf-discuss/current/
> Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
> To unsubscribe, change your address, or temporarily deactivate your 
> subscription, please go to 
> http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com