spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Updating SPF type99 and TXT RR's: Simultaneity is not guaranteed.

2005-08-11 12:04:07
from [wayne] [Permanent Link] 
In <878xz8y59i(_dot_)fsf(_at_)mid(_dot_)deneb(_dot_)enyo(_dot_)de> Florian 
Weimer <fw(_at_)deneb(_dot_)enyo(_dot_)de> writes:


* Mark Shewmaker:


Section 4.5. of the spec, "Selecting Records" says that if you're
querying for both SPF and TXT record types that:

|   2.  If there are both SPF and TXT records in the set and if
|       they are not all identical, return a "PermError".

This leads to a problem.


Indeed.  Unfortunately, SPF as specified is riddled with similar
problems:

  <http://www.enyo.de/fw/software/exim/spf-update.html>


I think your example of how to switch the IP address of a mail server
is much more complicated than it needs to be.

Your problem description is:

    Suppose that you currently publish the following DNS records for enyo.de:
    
    enyo.de.       172800  IN TXT  "v=spf1 mx -all"
    enyo.de.       172800  IN SPF  "v=spf1 mx -all"
    enyo.de.       172800  IN MX   10 mail.enyo.de.
    mail.enyo.de.  172800  IN A    212.9.189.167
    
    You want to change the IP address of mail.enyo.de from
    212.9.189.167 to 212.9.189.169. So the new configuration should look
    like this: 
    
    enyo.de.       172800  IN TXT  "v=spf1 mx -all"
    enyo.de.       172800  IN SPF  "v=spf1 mx -all"
    enyo.de.       172800  IN MX   10 mail.enyo.de.
    mail.enyo.de.  172800  IN A    212.9.189.169
    

Ok, here is what you do:

1) Add a new A record:

   mail.enyo.de.  A  212.9.189.169
   mail.enyo.de.  A  212.9.189.167

   Make sure that your box responds to both IP addresses, or if you
   have two boxes, that they both work.

   You might want to change to a short TTL here if you are in a hurry.

2) Wait for the old, single A record RR-set to expire (e.g. the TTL)

3) stop sending email from the 212.9.189.167 and start sending email
   from 212.9.189.169

4) Wait for a while so that all email that might think it came from
   the old address has either been delivered or bounced.

5) remove the 212.9.189.167 A record

   If you shortened your TTL, in step 1, set it back to normal.

6) wait for the transitional, double A record RR-set to expire

7) disable to the old IP address.


Note that this doesn't require updating your SPF record at all.

Note that this correctly deals with the transition for the MX record,
which you didn't really address.


-wayne
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Updating SPF type99 and TXT RR's: Simultaneity is not guaranteed., Stuart D. Gathman
Next by Date:  Re: Updating SPF type99 and TXT RR's: Simultaneity is not guaranteed., Craig Whitmore
Previous by Thread:  Re: Updating SPF type99 and TXT RR's: Simultaneity is not guaranteed., Frank Ellermann
Next by Thread:  Re: Re: Updating SPF type99 and TXT RR's: Simultaneity is not guaranteed., Scott Kitterman
Indexes:  [Date] [Thread] [Top] [All Lists]