[dns-operations] creeping poorness of judgement

Paul Vixie paul at redbarn.org
Sat Mar 14 05:26:44 UTC 2020

Phil Pennock wrote on 2020-03-13 22:00:
> On 2020-03-13 at 21:07 -0700, Paul Vixie wrote:
>> the concatenation of <character-strings> on 255-octet boundaries has never
>> been specified in a DNS RFC, and if the DKIM and SPF specifications require
>> this, they are legislating from the bench.
> Isn't that one of the points of DNS: that semantics should be laid on by
> applications above it, while RFC 2181 keeps the DNS itself much more
> agnostic about such matters?

it is not, in two ways.

first, the semantic described for these strings is not an example of how 
applications are expected to layer on their own interpretation. while 
this could certainly be done for the SPF record, as it was for MX and 
SRV and dozens of others, TXT already had some rules.

second, they did not lay this semantic on, they referred to the practice 
of splitting text strings into 255-octet chunks and claimed that because 
of this practice they were going to assume that if multiple chunks were 
present they must have been split from some larger string.

> ...
> I've successfully pushed back against DNS tooling behavior which says
> "just join TXT strings together" and persuaded folks that this is
> application specific, with that being one common behavior which it's
> good to support.  In Exim's case, in those cases where folks have to
> manually code DNS lookups with `${dnsdb ...}`, the TXT handling
> explicitly allows for specifying how results from multiple strings, and
> multiple records, should be handled.

thank you for that. i think more work will be needed for DKIM and SPF 
applications who depend on the TXT record, but your approach illuminates 
that work.

specifically, if a consumer of DKIM or SPF sees multiple text segments 
which are not meaningful (contain no known keywords, have the wrong 
number of fields, or whatever) they should try again assuming that each 
segment is a word and that they are separated by whitespace. if the 
second interpretation results in meaning, it should be treated as success.

or else, only if the segment is the maximum size permitted by TXT RDATA 
formatting, should it be presumed to have been split from a larger string.

or both.

P Vixie

More information about the dns-operations mailing list