[dns-operations] creeping poorness of judgement

Phil Pennock dnsop+phil at spodhuis.org
Sun Mar 15 01:43:23 UTC 2020 

On 2020-03-14 at 20:34 -0400, Viktor Dukhovni wrote:
> Well, you'd be much better off with the more readable, and
> equally maintainable:
> 
>     @ TXT ( "v=spf1"
>             " ip6:2001:4f8::/32"
>             " ip6:2001:559:8000::/48"
>             " ip4:149.20.56.0/24"
>             " ip4:24.104.150.0/24"
>             " ~all" )
> 
> With the qname changed to "@", since SPF clients do not prepend "_spf.",
> and added "ip4:" and "ip6:" prefixes, AFAIK they're required.

Some implementations are especially lenient and fix up records which are
missing those prefices.  Sending email to Gmail and checking that it
makes it through and examining the headers is _not_ a conformance check
and shame on me for the outage after the time where I got lazy and used
it as such.

FWIW, I have a zone `test.globnix.net` which is open-transfer from
nlns.globnix.net, which has long contained a number of examples of
things which have to survive their trip through DNS, and sadistic SPF
records.  The only recent change was the addition of `spftest12` to
make sure I was covering Paul Vixie's example using unquoted tokens and
parens for multi-line.

Here's the section with comments from the zonefile on-disk; for a long
time it had SPF and TXT both, until RFC7208.  I could find a way to
rephrase that.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~8< zonefile >8~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; For SPF, must be resistant to other TXT records; per RFC 4408, SHOULD
; publish both TXT and SPF RR-types, MUST have at least one of those, if
; both present MUST match.  RR "SPF" = 99.
; HOWEVER RFC 7208 forbade SPF RR-type (§3.1)
spftest1        IN      TXT             "foo extra"
spftest1        IN      TXT             "bar extra"
spftest1        IN      TXT             "v=spf1 -all"

; TXT joining behaviour is application-specific; when used for SPF records,
; elements joined directly together, no white-space, and this is the defined
; behaviour for TXT records too.
spftest2        IN      TXT             "v=spf1 " "-all"
spftest3        IN      TXT             "v=s" "pf1 -" "all"
spftest4        IN      TXT             "" "v=spf1 -all"
spftest5        IN      TXT             "v=spf1" " -all" ; see if parser requires space after tag within "enough swallowed to provide first tag"
spftest6        IN      TXT             "v=s" "" "pf1" " " "-all"
spftest7        IN      TXT             "v" "=" "s" "p" "f" "1" " " "-" "a" "l" "l"
spftest8        IN      TXT             "v=s" "" "" "" "" "" "" "" "" "pf1 -all"
spftest9        IN      TXT             "v=spf1 " "" "" "" "" "" "" "" "" "-all"
spftest10       IN      TXT             "" "" "" "" "v=sp" "f1 -all"
spftest11       IN      TXT             "" "" "" "" "v=spf1 -all"
spftest12       IN      TXT     (
                v=spf1
                " -all"
                )
spf-count       IN      TXT             "max=12"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~8< zonefile >8~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the dns-operations mailing list