"David MacQuigg" opined:
At 11:04 AM 3/24/2005 -0700, Alan Maitland wrote:
Which IP address? IP Address in the DNS Query - did you mean
response? The IP address of the requesting party is already known. Sorry
to be obtuse, but I really don't understand what you mean.
As I understand it, an SPF query generated by a receiver does not include
the sender's IP address in that query. That IP address is passed as one of
the arguments to the check_host() function, but it is not used when
check_host() constructs the SPF query. The DNS server which receives the
query, therefore has no ability to run the SPF check itself, or to log the
IP for later forensics, etc.
The IP address can be made available to the DNS server, by using the 'i' macro
letter to insert the IP address into some extended form of the domain to be
queried, thus making it available to the domain owner for validation, analysis,
etc..
We reached a consensus that having the DNS server run the check is no
advantage, and forfeits a major benefit of DNS, having the receiver cache
the response. If the DNS server responds with only "That IP is good.", the
answer is not as useful as "Here are all my authorized IPs. Don't ask
again for 24 hours."
We haven't yet decided if the remaining small benefit of sending an IP in
the query is worth the small price of changing the spec to add a few bytes
of new information.
This option to have the IP address returned is under the control of the policy
formulator, not the recipient. So it is the sender and his/her DNS operator who
can make this trade-off decision by themselves - both options are present in the
current spec. The SPF community as a whole does not have to make this decision.
I hope I got this right. :>)
-- Dave
Chris Haynes