Re: Use of New Mask Mechanism
2005-03-26 12:58:25
At 11:53 AM 3/26/2005 -0500, Radu wrote:
David MacQuigg wrote:
Masks should be added to a list of IPs, only if that list is already too
long to fit in one 512-byte DNS response message. In this case, a mask
may allow the SPF check to return a FAIL without initiating a TCP
connection to retrieve the full DNS message.
The compiler currently has an option to specify the max length of an
output SPF string, in case a name server has a lower limit for the length
of TXT records.
So the number of characters allowed by the name server software will
dictate the max length of string that the compiler is configured to
produce. Since the mask has to be in the first record, it will cause the
compiler to shorten the number of bytes used for mechanisms such that the
the top record, including the mask and any other modifiers fits within the
server's TXT record limit.
I am afraid it won't be so easy to provide a clear number like "450".
Bind insists on providing the NS records for the zone with every response.
The more you have, the less room is available for the TXT record. Also
when the domain name is longer, that takes some space away too. Ie, in the
response packet of _s4.ohmi.org, the name takes up 13 bytes, but for a
_s4.longer-domain.name.com, it takes more space, leaving less available
for the TXT record.
It looks to me like it will take some work to figure out how many bytes
are available for the TXT record, and what all the variables are.
At ohmi I use 3 name servers and BIND, and the biggest TXT record I can
fit into a 512-byte UDP packet is 357 bytes. YMMV, but it proves that even
a seemingly conservative limit (450 or 400) is not always appropriate. If
I had more slave name servers or a longer domain name, my usable TXT space
would be even less.
So I suspect that for sites that compile their record with a cron job,
they should find a value for the -len parameter that works on their
system. Alternately, the compiler should automatically figure it out.
If we want the compiler to run independently of any nameserver, and avoid
the problems we will encounter with patches or upgrades, we need a very
simple procedure to determine the record length. If your first SPF record
is 200 characters, and the resulting DNS packet is 250, then you know the
"overhead" is 50 characters, and you should set the maximum length for the
compiler at (512 - 50).
I'm not familiar with the operational details of nameservers. Is the above
procedure something we can recommend?
-- Dave
************************************************************ *
* David MacQuigg, PhD email: dmquigg-spf at yahoo.com * *
* IC Design Engineer phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. Tucson, Arizona 85710 *
************************************************************ *
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Need for Complexity in SPF Records, (continued)
- Re: Use of New Mask Mechanism, Andy Bakun
- Re: Use of New Mask Mechanism, Radu Hociung
- Re: Use of New Mask Mechanism, Frank Ellermann
- Re: Re: Use of New Mask Mechanism, Radu Hociung
- Re: Use of New Mask Mechanism, Frank Ellermann
- Re: Re: Use of New Mask Mechanism, Radu Hociung
- Re: Use of New Mask Mechanism, Frank Ellermann
- Re: Re: Use of New Mask Mechanism, Radu Hociung
- Re: Use of New Mask Mechanism,
David MacQuigg <=
- Re: Use of New Mask Mechanism, Radu Hociung
- Re: Re: DNS load research, Michael Hammer
- Re: Re: DNS load research, Radu Hociung
- RE: Re: DNS load research, Scott Kitterman
- Re: Re: DNS load research, Radu Hociung
- Re: Re: DNS load research, Leonard Mills
- Re: Re: DNS load research, Radu Hociung
- Re: Re: DNS load research, Andy Bakun
- Re: Re: DNS load research, Radu Hociung
- Re: Re: DNS load research, Andy Bakun
|
|
|