SPF on 9.4.1 now?

Clenna Lumina savagebeaste at yahoo.com
Thu Jun 21 01:39:42 UTC 2007 

Michael Milligan wrote:
> Mark Andrews wrote:
>>> Mark Andrews wrote:
>>>
>>>> No.  You use it *instead* of TXT record.  There is no need
>>>> to dual publish the data.  Anyone that really cares about
>>>> SPF will upgrade their clients.
>>>
>>> As a practical matter, I must respectfully disagree.  It will be
>>> some time before everyone gets a chance to upgrade, and the timeout
>>> issue with looking up SPF from some DNS server sets (not BIND or MS
>>> implementations far as I can tell) is a significant issue.  This
>>> timeout issue could, of course, be a firewall issue...  anyway, it
>>> has a significant impact on high-volume (for various definitions of
>>> "high") mail sites.  And thus is ultimately off-topic for this
>>> list.  FIN.
>>
>>
>> What timeout issue?  If you don't publish the old clients
>> will get a NODATA response.  There is no time out issue in
>> not publishing the TXT record.
>
> The timeout issue is with looking up SPF records on some name servers.
>
> Compare:
>
> $ dig +norecurse TXT massivebonus.com @ns1.massivebonus.com
>
> to:
>
> $ dig +norecurse SPF massivebonus.com @ns1.massivebonus.com
>
> to see what I mean

Ok, thats not the reason it lags:

   $ dig +norecurse SPF massivebonus.com @ns1.massivebonus.com
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58870
   ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 3

   ;; QUESTION SECTION:
   ;SPF.     IN A

Notice how it's still attempting an A record trying to find "SPF." as if 
it was a tld. Granted, this is dig from bind 9.3.4, which is fairly 
recent. It's not 9.4.x, but I think it illustrates the real problem; 
theres far too many pre-9.4 (and pre 9.x general) implimentations of 
Bind that introducing SPF as a RR type is almost guarenteed to divide 
things even more than they already are.

Anyone who thinks the SPF RR type will some how make everyone upgrade to 
the latest and greatest is living in a dream world methinks. Theres far 
too many orgranizations using 8.x, and even 4.x (shudder), for what ever 
reason. Furthurmore, one new RR type just might be enough to warrent an 
upgrade in many people's mind. Especially if they use the TXT spf format 
and it just "works." I understand that TXT RR's are meant for human 
consumption, but it was a good way of adding such data with out breaking 
things that just worked.

I will concede that SPF in general could of been implimented better.


   ;; AUTHORITY SECTION:
   .     232226 IN NS f.root-servers.net.
   .     232226 IN NS g.root-servers.net.
   .     232226 IN NS h.root-servers.net.
   .     232226 IN NS i.root-servers.net.
   .     232226 IN NS j.root-servers.net.
   .     232226 IN NS k.root-servers.net.
   .     232226 IN NS l.root-servers.net.
   .     232226 IN NS m.root-servers.net.
   .     232226 IN NS a.root-servers.net.
   .     232226 IN NS b.root-servers.net.
   .     232226 IN NS c.root-servers.net.
   .     232226 IN NS d.root-servers.net.
   .     232226 IN NS e.root-servers.net.

   ;; ADDITIONAL SECTION:
   a.root-servers.net.  159358 IN  A 198.41.0.4
   j.root-servers.net.  159358 IN  A 192.58.128.30
   l.root-servers.net.  600293 IN  A 198.32.64.12

   ;; Query time: 7 msec
   ;; SERVER: 192.168.8.4#53(192.168.8.4)
   ;; WHEN: Wed Jun 20 18:26:11 2007
   ;; MSG SIZE  rcvd: 280


   ; <<>> DiG 9.3.4 <<>> +norecurse SPF massivebonus.com 
@ns1.massivebonus.com
   ; (1 server found)
   ;; global options:  printcmd
   ;; connection timed out; no servers could be reached


-- 
CL

More information about the bind-users mailing list