spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Is this SPF record valid

2006-05-04 17:45:24


Alex van den Bogaerdt wrote:
On Thu, May 04, 2006 at 07:39:44PM -0400, Terry Fielder wrote:

Sorry, no. The whole point of putting the IP in the SPF record is that prior to the cutover to redundant connection the IP is a match, so you never do a DNS lookup on the A record (you return SPF pass or whatever mode assigned)

For mail that is going to PASS, and for implementations that do
not prefetch, true.

But SPF was designed to combat forgery so I think I am not way off
base to assume I actually do need to fetch those A records as the
ip4 mechanism did not match.  Once those A records are in my cache,
the domain has a problem as those A records point to the original
(now severed) link.

That's my point, once the link is severed, the A records are updated to the new IP, so the first time you NEED to fetch them they are already updated to the new IP. (Which takes advantage of the fact that one wouldn't fetch the A record before NEEDing to fetch the A record)

In a perfect world, this wouldn't matter. In a perfect world, prior to failure, the SPF would stop looking at the IP match, therefore the point is moot, just a little bit of text bandwidth wasted. (As long as that doesn't cause a SECOND DNS packet, the extra bandwidth is trivial.)

Terry


Alex

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com