SPF-compiling DNS Server

At 08:51 PM 3/23/2005 -0500, Radu wrote:
> <...>
> If DNS servers would include a record compilation function, then it would 
> be no problem to have a very low limit for SPF records that are given by 
> authoritative server to queries, and an arbitrary, much higher limit for 
> the records that the compiler uses as input.
> <...>
>
> Thus, the record configured by the zone admin and the record served by the 
> server software would be completely different, but equivalent. The former 
> would be heavy with convenient A, MX, INCLUDE mechanisms, while the later 
> would be a list of IPs ending in a redirect.
> I think the compiling-DNS server idea is brilliant, and it is just the 
> solution to the DDOS problem described, but only if it is coupled with a 
> low limit on the checker processing. Otherwise, it's marginally useful.
> The version of libspf2 that I am working on will include compile 
> functionality, and I will also demonstrate a patch to MyDNS that 
> implements a built-in compiler. I suspect it will be a very simple patch 
> as the compile function is in the library. Then perhaps others can follow 
> the example and create patches for other name servers.
> If standardization of SPF is some time away (1 year or more), there will 
> be plenty of transition time for NS servers to be updated. Note that not 
> all domains will need to update their server, they can simply use 
> spfcompile and $INCLUDE its output, or just publish records that comply 
> with the draft. Public NS services that allow users to publish arbitrary 
> TXT records will likely want to consider updating, in order to offer 
> maximum convenience to their customers.
> This way, the DNS servers are not _required_ to be upgraded. If not 
> upgraded, the records published through them will have to be cheap. If 
> updated, the records published through them will be convenient. I think 
> this will be a good incentive for those who want to publish convenient 
> records to upgrade, without forcing anyone else to upgrade.
In addition to patches for the various name servers, it would be nice to 
have something that could be deployed rapidly, without even stopping a 
running DNS server.  Then when the new admin needs to update an SPF record 
written a year ago by someone who left the company, all he has to do is 
download a wizard with a nice user interface, something like mxtoolbox.com.
Take a look at how that website displays the SPF record for pobox.com.  We 
have a very nice tabular format, with descriptions for each 
mechanism.  That could be an editable listbox.  Then below that we have the 
string-formatted record.  This is where we could add a warning - too many 
lookups, and a link to the Best Practices page.  Below the formatted 
record, we could display the fully-compiled record, ready to cut-and-paste 
into your DNS server. (Or with the proper permissions set up, ready to 
"Update Now" with a click of a button.)  Maybe we need a warning here too, 
in case the compiled record is longer than 512 bytes.
The wizard could also be used from the SPF website without any 
download.  The user would enter the domain name, and the wizard would load 
the existing SPF record, ready to edit.  The only limitation would be you 
have to cut-and-paste the final result, rather than push an Update Now 
button.  Admins that do infrequent updates would likely use the web interface.
If we make this nice enough, admins will update their records long before 
SPF-doom arrives.
-- Dave

*************************************************************     *
* David MacQuigg, PhD          * email: dmquigg-spf(_at_)yahoo(_dot_)com     *  
*
* IC Design Engineer           * phone:  USA 520-721-4583      *  *  *
* Analog Design Methodologies                                  *  *  *
*                                  * 9320 East Mikelyn Lane     * * *
* VRS Consulting, P.C.             * Tucson, Arizona 85710        *
*************************************************************     *