spf-discuss
[Top] [All Lists]

Re: John Levine says: SPF Loses Mindshare?

2005-08-04 03:00:21
In <873bpq2mf7(_dot_)fsf(_at_)deneb(_dot_)enyo(_dot_)de> Florian Weimer 
<fw(_at_)deneb(_dot_)enyo(_dot_)de> writes:

In <87zmry2rdw(_dot_)fsf(_at_)deneb(_dot_)enyo(_dot_)de> Florian Weimer 
<fw(_at_)deneb(_dot_)enyo(_dot_)de> writes:

Okay, what probably happened is that check_host() returned Neutral for
earthlink.net because they was no record, and "include:earthlink.net"
didn't match as a result.

check_host() should return PermError when there is an include: to a
domain that doesn't have an SPF record.  See section 5.2.

check_host() returns PermError when there's no SPF record for the
domain?  Interesting, so existing SPF implementations must have some
special case for the "no SPF record" case (see the comment about
SoftFail below).

Ok, yeah, check_host() returns None, 

I don't think this follows from the specification.  "None" is only
returned when the name server returns NXDOMAIN, but not for the
(artifical) NODATA failure (no error, empty answer section).

If this is not changed, a very complex procedure is required for
updating SPF records which contain "include" mechanisms, at least if
you want to avoid bounces.

I guess I don't see what the problem is.  Can you elaborate on what is
so hard about updating the SPF records?

Okay, I'll give an example.  Suppose you just published the following
two DNS records:

spfv1.example.net.  IN TXT "v=spf1 a mx ?all"
example.net.        IN TXT "v=spf1 include:spfv1.example.net ?all"

There are two authoritative name servers for example.net,
ns1.example.net and ns2.example.net.  Assume that ns2.example.net has
not been updated yet (there's always some propagation delay for
updates).  A client resolves the example.net/IN/TXT from
ns.example.net, parses it, and looks up the referenced record
spfv1.example.net/IN/TXT.  The resolver decides to fetch this record
from ns2.example.net for load-balancing purposes, and gets a NXDOMAIN
error.  Hence the SPF check returns PermError, even though this is
just a tempoary error condition.