Guy,
What about this simple scenario:
My domain is alaia.net. Let's just assume for a minute that my SPF
record is "v=spf1 MX -all". And let's assume that my mx record is
primarymx.myisp.net (10) and backupmx.myisp.net (20).
Since I have no control over the records at myisp.net, the DNS server
that you propose compile my SPF record must:
1) Keep a copy of the A records for primarymx.myisp.net and
backupmx.myisp.net in cache and fetch a fresh copy every time they
expire. And recompile my record when they do. -OR-
2) Automatically periodically recompile my SPF record, fetching the
current resolution of primarymx.myisp.net and backupmx.myisp.net.
AND, in either case once my record has been recompiled, I must now wait
for the TTL on MY record to expire so my SPF record is 'current'. This
means that I have to wait for two TTL's before my record is totally
current.
As you can see, this is about as simplistic of an example that there is
and does not even begin to address some of the macro-related directives.
A moderately-complex SPF record could involve a decent amount of caching
or checking. Your proposal would overly burden a moderately large DNS
provider, such as DNSMadeEasy (who I use). And what about DNS caching?
If the 'expensive' lookups only happen infrequently, then so what, they
are only a small portion of your overall lookups. If they happen
frequently, then you are increasing the liklihood that the record is
already in cache. As you said: "I think the DNS cache is good enough."
Marc
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Guy
Sent: 03/21/2005 4:07 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Re: DNS load research
Maybe you missed my point. What I am suggesting is that my DNS server
compile my SPF record and publish the compiled record. The TTL of the
compiled record must not exceed any TTL of any source info. So, the
compiled SPF record would stay in cache (I guess) until the TTL is
exceeded.
Then re-compile it, or wait until someone asks for it, then compile it.
All of the source info can be cached as normal (like includes), or
requested if not in the cache. The DNS protocol would not change!!!!!
Other than having a SPF record type. Maybe even the TXT SPF record
could be compiled, why not?
I can see 5 options:
SPF-COMPILE (yes/no) self explanatory IMO
SPF-FETCH (yes/no) request any remote info, examples:
include:myisp.com
a=smtp.myisp.com
SPF-PRECOMPILE (yes/no) Keep compiled SPF records handy so SPF-NODELAY
would not normally apply. I guess the
pre-compile should start before the old
record
expires.
SPF-NODELAY (yes/no) yes = if no compiled record is in memory,
then give un-compiled record now,
but also compile the record for future
use.
No = don't respond until the SPF record
is compiled.
SPF-COMPILE-OTHER (yes/no)
Yes = Compile other people's SPF records
when they
are requested. In this case, no need to
compile any
includes, those will be handled as
another
request. I don't think this is a good
option,
the DNS cache will handle this.
I don't understand you comment about the extra bandwidth. Compiling an
SPF
record(s) once every few hours would be less effort (bandwidth) than
having an expensive SPF record that takes 5-111 lookups every email
(including forged).
I did not intend a DNS server to compile other people's SPF records.
However, maybe that is a viable option also. I think the DNS cache is
good enough.
So far, I have devoted 20 or so minutes to this idea! I am sure it
could be improved.
Guy
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Marc
Alaia
Sent: Monday, March 21, 2005 3:12 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Re: DNS load research
Maybe one day there will be an SPF record type. Then the DNS servers
could optionally compile the SPF record to a simpler (less expensive)
form, automatically! Even "include:"s could be pulled in, as long as
the TTL is obeyed, and the SPF record re-compiled when something
expires.
That would be awsome. But even then we'll have to support 'legacy' SPF
clients, and they will seem awfully expensive by comparison to the
server-compiled SPF records, but we'll be stuck with them.
And how is this any better than the existing 'problem'? You are
proposing removing some processing and traffic in favor of more
processing and bandwith. Your proposal involves changing DNS servers so
that they would have to take a 'source' (i.e. SPF Classic) TXT record
(which they will have to keep on hand for periodic recompiling) and
compile it into a all-IP SPF record. Your proposal now also requires
that the authoritative DNS server for this domain must either keep in
cache every piece of information to compile the record or periodically
go out and re-request this information. So all of the bandwith and
processing that you propose to save has been reconsumed.
Marc
-------
Sender Policy Framework: http://spf.pobox.com/ Archives at
http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
-------
Sender Policy Framework: http://spf.pobox.com/ Archives at
http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com