spf-discuss
[Top] [All Lists]

Re: DNS Query Format

2005-03-25 11:03:00
"David MacQuigg" declared:


Which IP address?  IP Address in the DNS Query - did you mean
response?  The IP address of the requesting party is already known.
Sorry
to be obtuse, but I really don't understand what you mean.

As I understand it, an SPF query generated by a receiver does not include
the sender's IP address in that query. That IP address is passed as one of
the arguments to the check_host() function, but it is not used when
check_host() constructs the SPF query.  The DNS server which receives the
query, therefore has no ability to run the SPF check itself, or to log the
IP for later forensics, etc.

The IP address can be made available to the DNS server, by using the 'i'
macro
letter to insert the IP address into some extended form of the domain to be
queried, thus making it available to the domain owner for validation,
analysis,
etc..

I don't see how this works.  The 'i' macro, to the DNS server, is nothing
but a pattern ( like %{i} ) to be sent as part of a string in response to a
query from the DNS client.  As I understand it, that 'i' macro is expanded
on the client side, so the server never sees the actual IP address.  What I
am proposing is that the actual IP address be sent in the original query.

-- Dave


One of the 'ground rules' of SPF (current versions) is that is should not
require any change to the existing DNS protocols. Now there is nowhere within
the current _protocol_ in which you could carry the IP address information
required, so one has to resort to a 'trick'.  As this is, effectively, a
communication from and back to the same person, the sender, no-one else needs to
know about it. It's entirely transparent to the SPF receiver and to his DNS
server.

In outline it works like this:  Suppose an SMTP message is received from
111.222.333.444, and purports to be from the 'example.com' domain.  Using an
'exists' mechanism in the policy and the 'i' macro letter, the policy sends a
DNS query to an address composed something like this:
111.222.333.444._spf.example.com.

(I'll leave it as an exercise for the reader to compose the macro that does this
;-))

The DNS server for the domain 'example.com' ( a specially-modified, 'trick'
server) sees the '_spf' marker and knows to extract the numeric address from the
query address.  Now it can do whatever it wishes with that information before
sending back the result of the DNS query.

Chris