spf-discuss
[Top] [All Lists]

Re: Use of New Mask Mechanism

2005-03-26 12:58:25
At 11:53 AM 3/26/2005 -0500, Radu wrote:
David MacQuigg wrote:

Masks should be added to a list of IPs, only if that list is already too long to fit in one 512-byte DNS response message. In this case, a mask may allow the SPF check to return a FAIL without initiating a TCP connection to retrieve the full DNS message.

The compiler currently has an option to specify the max length of an output SPF string, in case a name server has a lower limit for the length of TXT records.

So the number of characters allowed by the name server software will dictate the max length of string that the compiler is configured to produce. Since the mask has to be in the first record, it will cause the compiler to shorten the number of bytes used for mechanisms such that the the top record, including the mask and any other modifiers fits within the server's TXT record limit.

I am afraid it won't be so easy to provide a clear number like "450".

Bind insists on providing the NS records for the zone with every response. The more you have, the less room is available for the TXT record. Also when the domain name is longer, that takes some space away too. Ie, in the response packet of _s4.ohmi.org, the name takes up 13 bytes, but for a _s4.longer-domain.name.com, it takes more space, leaving less available for the TXT record.

It looks to me like it will take some work to figure out how many bytes are available for the TXT record, and what all the variables are.

At ohmi I use 3 name servers and BIND, and the biggest TXT record I can fit into a 512-byte UDP packet is 357 bytes. YMMV, but it proves that even a seemingly conservative limit (450 or 400) is not always appropriate. If I had more slave name servers or a longer domain name, my usable TXT space would be even less.

So I suspect that for sites that compile their record with a cron job, they should find a value for the -len parameter that works on their system. Alternately, the compiler should automatically figure it out.

If we want the compiler to run independently of any nameserver, and avoid the problems we will encounter with patches or upgrades, we need a very simple procedure to determine the record length. If your first SPF record is 200 characters, and the resulting DNS packet is 250, then you know the "overhead" is 50 characters, and you should set the maximum length for the compiler at (512 - 50).

I'm not familiar with the operational details of nameservers. Is the above procedure something we can recommend?

-- Dave

************************************************************     *
* David MacQuigg, PhD      email:  dmquigg-spf at yahoo.com      *  *
* IC Design Engineer            phone:  USA 520-721-4583      *  *  *
* Analog Design Methodologies                                 *  *  *
*                                   9320 East Mikelyn Lane     * * *
* VRS Consulting, P.C.              Tucson, Arizona 85710        *
************************************************************ *


<Prev in Thread] Current Thread [Next in Thread>