Alex van den Bogaerdt wrote:
On Thu, May 04, 2006 at 07:39:44PM -0400, Terry Fielder wrote:
Sorry, no. The whole point of putting the IP in the SPF record is that
prior to the cutover to redundant connection the IP is a match, so you
never do a DNS lookup on the A record (you return SPF pass or whatever
mode assigned)
For mail that is going to PASS, and for implementations that do
not prefetch, true.
But SPF was designed to combat forgery so I think I am not way off
base to assume I actually do need to fetch those A records as the
ip4 mechanism did not match. Once those A records are in my cache,
the domain has a problem as those A records point to the original
(now severed) link.
That's my point, once the link is severed, the A records are updated to
the new IP, so the first time you NEED to fetch them they are already
updated to the new IP. (Which takes advantage of the fact that one
wouldn't fetch the A record before NEEDing to fetch the A record)
In a perfect world, this wouldn't matter. In a perfect world, prior to
failure, the SPF would stop looking at the IP match, therefore the point
is moot, just a little bit of text bandwidth wasted. (As long as that
doesn't cause a SECOND DNS packet, the extra bandwidth is trivial.)
Terry
Alex
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com