On Tue, 9 Aug 2005, wayne wrote:
On Tue, 9 Aug 2005, Stuart D. Gathman wrote:
Exactly. There is only ever on PTR record looked up on an SPF query.
[...] There can be multiple PTR records for the IP. Sure, they
can usually all be returned in the same packet, but an implementation
might not validate the names until they match a mechanism. In which
case PTR should count as 1 each - just like the spec says - because each
matching PTR will cause an A record lookup to validate. [...]
True, but there are two cases:
1) The ptr: mechanism matches, in which case the evaluation of the SPF
record finishes.
2) The ptr: mechanism doesn't match, in which case all the PTR RRs
will be checked. (Ok, at most 10 PTR RRs, but it will remain the
same throughout.)
So, if you ever hit a second ptr: mechanism, you are going to have
done all the DNS lookups already.
Not true. The PTR mechanism matches a name. The name is in the PTR
record. You don't need to lookup the A record unless the name matches.
While it is simplest to validate all A records on the first PTR query
and discard the bad eggs (and that is what pyspf currently does), it
would be efficient to only validate the A record when the name actually
matches.
For instance, support a PTR record is thus:
1.2.3.4 PTR foo.bar.example.com.
1.2.3.4 PTR abc.def.example.com.
1.2.3.4 PTR baz.com.
All returned in a single DNS packet from the PTR query.
The connect ip is 1.2.3.4, and the SPF record evalutes
ptr:bar.com - no PTR matches, no A records fetched.
ptr:baz.com - last PTR matches, fetches A record for baz.com
baz.com A 1.2.3.5
A record doesn't match, so we continue
ptr:example.com - two PTR records match, we fetch their A records:
foo.bar.example.com A 1.2.3.4
that matches - we are done. We don't bother fetching the second A RR.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.