spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: RE: rr.com and SPF records

2005-03-20 21:35:54
from [william(at)elan.net] [Permanent Link] 

On Sun, 20 Mar 2005, David MacQuigg wrote:


Alan,
Thanks for your description of DNS, and your willingness to help with my dumb questions. I guess we lost track of the question somewhere in this long thread. The question is -- Why doesn't SPF make more extensive use of the built-in recursion capability of DNS?
This question was motivated by the struggle I'm seeing over the question of how many DNS queries to allow. The rr.com example had difficulty fitting within the allowed 10 queries. Radu suggests "flattening" all records to just a list of IPs. That might be inconvenient for a domain that wishes to "delegate" all responsibility for these records to their subdomains.
The seemingly obvious solution is that rr.com answer all queries to nameservers in any of their subdomains, using the recursion mechanism in DNS. That way, the DNS records maintained by each subdomain can be very simple, and you don't run into any 10-query limit at rr.com. I must be missing something, because it seems too simple. 

No, that is not how DNS works as Alan tried to explain (and he can do it
better then I can, since I'm usually too technical). First of all dns
redirect is triggered by specific dns records, i.e. NS and nothing else
(and spf redirects and sublookups are completely different and nothing
that can be easily implemented within dns), 2nd the recursion is available
by dns server run by ISP for its customers - these are often called "caching"
dns servers and servers that keep actual dns domain records are separate ones
and not and typically would have recursion disabled. 3rd is that SPF is aimed
as email security solution that would not require many updates to email servers and to DNS servers so that it could be deployed quicker - that is why SPF decided to (ab)use TXT records (not something I agree with BTW) and anything that would require changes to DNS protocol and DNS server 
software will take long time (2-5 years) to become wide used.

I think O'Really has good book on DNS ("DNS & BIND" its 3rd or 4th edition
now) and there are number of good references at http://www.dns.net/dnsrd/ and if you're engineer you can just go ahead and read RFCs (particularly RFC1034), so please do read more on dns if you really want to talk about it. 

--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: Draft ammendments on DNS lookup limits, Terry Fielder
Next by Date:  Re: DNS load research, Frank Ellermann
Previous by Thread:  RE: RE: rr.com and SPF records, David MacQuigg
Next by Thread:  RE: RE: rr.com and SPF records, Commerco WebMaster
Indexes:  [Date] [Thread] [Top] [All Lists]