wayne wrote:
My do-things-right reaction is that we should check to see
what various resolvers do. If most of them abort after only,
say, 2> CNAMEs, then I think we would be safe to do likewise.
If they do 100 CNAMEs, well, maybe I'm missing a good reason
why we should allow that many CNAMEs in a chain.
From your (you + Stuart) POV as implementor that's fascinating,
and you certainly will limit this somehow to avoid at least
loops. From the POV of a future PS I envision SPF as a layer
above DNS. Details of CNAME chains are explained in 1034/1035.
It's not the job of the SPF standard to "modify" / "update" /
"limit" this in any way - in theory we could for the SPF RR,
but not for TXT (incl. exp=). So saying nothing about it, or
maybe an "implementation note" with a reference to the relevant
section in 1034 (or whereever it is) should be good enough.
Or again from the POV of an implementor, the CNAME stuff is an
implementation detail of the DNS layer, for the SPF layer it
has to be invisible. Either it works or it doesn't (chain too
long, special case loop), SPF can handle both results, among
others (timeout / NXDOMAIN / truncated / etc.)
I'm still surprised that Stuart apparently works at a level,
where it's his decision to handle CNAME at all, and how. The
code doing this should be the same for all applications on top
of DNS, not only SPF / TXT, also DKIM, MX, A, whatever. But
there's an excellent chance that I just didn't get the problem.
Bye, Frank