On 26/05/05, Jeroen Massar <jeroen(_at_)unfix(_dot_)org> wrote:
On Wed, 2005-05-25 at 14:29 -0400, Constantine A. Murenin wrote:
On 25/05/05, Bill Taroli <bill(_dot_)taroli(_at_)billsden(_dot_)org> wrote:
Constantine A. Murenin wrote:
<SNIP>
I got it, thanks! The SPF syntax page is very difficult to find, and
the description of what the SPF's 'a' directive does is somewhat
unclear, at least to me. Something like "the hostname that is
specified by the SPF's 'a' directive is resolved, and the resulting
IP-addresses are tested against the client IP-address [of the MTA]".
The keywords being here are "hostname is resolved". :-)
As of today, the page <URL:http://spf.pobox.com/mechanisms.html#a> reads:
"All the A records for /domain/ are tested. If the client IP is found
among them, this mechanism matches."
<IPv6 whine mode>
But what about IPv6?
Either there has to be a identical 'aaaa' mechanism for doing IPv6 or
the 'a' mechanism gets redefined so that it requires apps to also check
for a valid IPv6 address. The latter is impossible because:
host.example.com/48 is IPv6, but what about host.example.com/24 IPv4 or
IPv6?
Good point, actually. But I guess what it comes down to is that no-one
should be writing more than /32 for IPv6. Most delegation from RIPE
NCC are /33, /34, /35. They also have quite some delegations that are
/32, and a few /27, /29 -- but that is for the whole network of some
providers. Do you expect any of those providers to have milliards of
milliards of computers that are sending mail for one host? If so, they
should use the 'all' directive. :-)
I think it will be reasonable to do something like the following:
assume that IPv6 netmask number cannot be less than or equal to 32,
unless specifically said that it can: if someone intends to set a mask
for both IPv4 and IPv6, then one should write
a:host.example.org/24/48, where /24 refers to IPv4 and /48 refers to
IPv6. I.e. this can be made a part of the specification:
[/IPv4mask[/IPv6mask]] | [//IPv6mask] | [/IPv6maskAlwaysSane], where
IPv4mask and IPv6 mask is any mask allowable by the standards, but
IPv6maskAlwaysSane cannot be less than or equal to 32.
I don't think that this should be a problem, and creating aaaa is only
going to produce more mess, specifically for those who don't set any
/24 or /48. If you are going to create aaaa, then you will also have
to create the mx equivalent that is going to be IPv6-friendly, and SPF
is going to be a complete mess.
http://cr.yp.to/djbdns/ipv6mess.html
As an other alternative, one can assume that IPv4 a:host/24 means the
same as IPv6 /64, and IPv4 a:host/16 means IPv6 /48 etc. :-) This is
one more mess that most likely should not be considered. :-)
But the worst part, if you have any mechanism in the spf rule which is
not understood/supported by SPF the rule fails.
This leads people who require IPv6 to add a "~all" at the end, which
thus makes SPF quite, if not completely, useless.
Greets,
Jeroen
(No closing tag indeed ;)