At 03:23 PM 4/2/2005 -0800, Phillip Hallam-Baker wrote:
It is actually possible to overcome the issues raised with wildcards
using a combination of wildcards and macros as described in the attached
document.
Good paper. Thanks.
In the context of my original question ( setting up special subdomains like
_SPF1.<domain> ) I'm still puzzled as to why we would want wildcards. A
query to _SPF1.<sub>.<domain> should produce a Reject, unless the domain
owner has specifically created a record for this subdomain.
I think of SPF records as a "license" to operate a public mail server. We
don't want every subdomain to automatically inherit the license. For a
large organization like rr.com, I can see the need for a dozen or so
licenses, but most companies would have just one.
As for the DoS attack using a query to a.a.a.a.a.a.a.a ... <domain>, limit
the licensed domains to three levels (ece.arizona.edu). Most companies
operating a public mail server will want a short simple name anyway. It
will also make life simpler for email reputation services, if they don't
have to track numerous subdomains with different reputations.
Companies that really want to delegate public mail serving authority to the
lowest levels, can use "flattened" names to authorize those
servers. server17.ece.arizona.edu might show its email ID as
"server17_ece.arizona.edu". ( More likely, it would simply use the central
mail server at arizona.edu. )
-- Dave
************************************************************ *
* David MacQuigg, PhD email: dmquigg-spf at yahoo.com * *
* IC Design Engineer phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. Tucson, Arizona 85710 *
************************************************************ *
> -----Original Message-----
> From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
> [mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of
> william(at)elan.net
> Sent: Friday, April 01, 2005 8:34 PM
> To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
> Subject: Re: [spf-discuss] Re: Need for a new SPF record type
>
>
>
> On Sat, 2 Apr 2005, Frank Ellermann wrote:
>
> > David MacQuigg wrote:
> >
> >> Is there any reason not to set up subdomains like _SPF1.<domain> ?
> >
> > Discussed on mxcomp (the former MARID list) many times.
> One problem
> > is obvious, if you can do something with the records for FQDN, it
> > doesn't necessarily mean that you can also do
> > something with _SPF.FQDN And the DNS crowd hated the idea.
>
> Lets be clear about something. "DNS crowd" hated the idea of
> (ab)use of
> TXT records and did not think that prefix addressed their
> concerns (they
> are quite right). However when presented with choice between
> no prefix
> and prefix they all agree that prefix is slightly more prefirable and
> less likely to lead to collisions.
>
> At mxcomp split was even 50/50 for those who wanted and did
> not want it
> when this question was raised directly by group chair and
> almost every
> technically sound argument was for prefix, however large
> number of SPF
> folks there did not want it and main reasons presented were
> that their
> registrar or dns provider did not support "_" in subdomains.
>
> > Another problem is less obvious, it doesn't work well with
> wildcards.
> > For almost all foobar.claranet.de (excl. names like pop, www, and a
> > few other exceptions) you get the same wildcard policy as for
> > xyzzy.claranet.de
>
> It was shown after some people said that prefix could help
> with wildcard
> issues, that using prefix does not help. However saying that
> they do not
> work well with wildcards is wrong - they work no better or
> worse then no
> prefix.
>
> > Of course this also covers _SPF.foobar and _SPF.xyzzy, but the
> > potential advantage of the prefix is lost.
>
> No, potential is still there as they provide for less chance of
> collisions.
>
>
> > Please check the mxcomp archive for more details and better
> > explanations.
>
> Very large thread started by this post will give you an idea
> of the issues and following discussions on where prefixes do
> and do not help:
> http://www.imc.org/ietf-mxcomp/mail-archive/msg03641.html
>
> >> when the query for _SPF1.<domain> arrives at <domain>, that the
> >> nameserver at <domain> will be smart enough to return the final
> >> result.
>
> Impossible unless you can get this through dns IETF WG and as
> I noted this
> takes 5 years (and it must be general dns feature because
> same dns zone
> maybe XFER to dns server that runs different software and all
> servers must
> function the same, in theory at least).
>
> > Servers aren't smart, they implement protocols if you're
> lucky. Most
> > of the time they only pretend to implement a protocol. ;-)
>
> If that was not so sad to hear, it would be funny how true it is :)