spf-discuss
[Top] [All Lists]

RE: CNAME limit

2005-07-22 06:04:15
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Stuart 
D. Gathman
Sent: Thursday, July 21, 2005 10:29 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] CNAME limit


On Thu, 21 Jul 2005, Scott Kitterman wrote:

That tends, I think, to reinforce the interpretation that CNAME
chains are
disallowed by RFC 2181.

Not by my reading.

So, a conservative approach, that a validator might take, would be be
PermError if they hit a chain, because receivers might do that based on
2181, but, even though 2181 is 8 years old, it's not entirely
clear and so
an operational checker would likely want to be more liberal.....

Your suggestion is equivalent to a max chain length of 1.

I still say that CNAME chains are in the same category with MX and PTR.
For all three, the DNS server typically packs all the records into a single
packet.  For all three, the length of the list (or chain) is arbitrary.
For MX and PTR, SPF looks at the first 10 only.  I maintain that
SPF should look at the first 10 in a CNAME chain also.  Whether the
result should be PermErr, or equivalent to NX_DOMAIN, is open to question.

Actually, given the way the other mechanisms work, it should be NX_DOMAIN I
think.  This is another one of those cases where mechanism evaluation is
potentially silently incomplete.

Scott K


<Prev in Thread] Current Thread [Next in Thread>