Am 24.08.2017 um 03:31 schrieb bind-us...@gtaylor.tnetconsulting.net:
On 08/23/2017 05:47 PM, Reindl Harald wrote:
arrakis.thelounge.net. 86399 IN SPF "v=spf1 a
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"
prometheus.thelounge.net. 86399 IN SPF "v=spf1 a
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"
otherwise only @example.com *itself* is protected from forging, our
homegrown DNS backend automatcially publishes SPF records for every
hostname in every domain
This might be a case to use the include so that each host can include
(read: pull in) the SPF record for the parent domain.
which means again: additional dns lookups while ip-adresses and ranges
are done with a single lookup
Obviously it depends on how your infrastructure is configured.
in case that stuff is generated - see above
also avoid "v=spf1 mx" - why?
because it's a useless DNS lookup on the receiver
publish ip-adresses whenever possible - the connecting IP is known for
free, the MX is not relevant on the destination server when receive
email as long as you force the lookup by careless SPF records
I think that it may be possible for someone to publish a PTR record in
their IP space that reverse resolves to a name of one of your MX
servers. There by allowing their bogus server to send email as you
besides it's not true because SPF has nothing to do with PTR and they
won't get https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS
how is that related to the topic at all?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
