In message <[email protected]>, Alessandro Vesely writes:
> On Tue 30/Apr/2013 01:07:42 +0200 Mark Andrews wrote:
> >
> > The really annoying thing is that SPF is techically superior
> > to TXT is lots of ways.
> >
> > 1. It uniquely identifies the roll of the record.
> >
> > 2. As SPF records are singletons you don't need to identify
> > and remove the old record when updating. You can just
> > remove all SPF record and add the replacement.
> >
> > For TXT you need to lookup the existing RRset, extract
> > the v=spf1 record from it. You then need to create a
> > UPDATE message to delete just that record as well as add
> > the new TXT record. You then have to hope that no one
> > else is performing a simultanious update as you may get
> > two TXT v=spf1 records in the RRset.
>
> That's true, except that one has TXT records anyway.
nsupdate
update del example.com SPF
update add example.com 3600 SPF v=spf1 ....
send
txt=`dig +short example.com TXT | \
sed -n -e '/^"v=spf1 /s/^/update del example.com TXT /p' \
-e '/^"v=spf1"$/^/update del example.com TXT /p'`
nsupdate << EOF
$txt
update add example.com 3600 TXT v=spf1 ....
send
EOF
But that doesn't work for 'example.com TXT "v" "=" "s" "p" "f" "1"'
which is a perfectly legal SPF record.
sed -n -e '/^"v=spf1 /s/^/update del example.com TXT /p' \
-e '/^"v" "=spf1 /s/^/update del example.com TXT /p' \
-e '/^"v" "=" "spf1 /s/^/update del example.com TXT /p' \
-e '/^"v" "=" "s" "pf1 /s/^/update del example.com TXT /p' \
-e '/^"v" "=" "s" "p" "f1 /s/^/update del example.com TXT /p' \
-e '/^"v" "=" "s" "p" "f" "1 /s/^/update del example.com TXT /p'
\
-e '/^"v" "=" "s" "p" "f" "1" " /s/^/update del example.com TXT
/p' \
-e '/^"v=spf1"$/^/update del example.com TXT /p'`
And keep going because the delete needs the rdata to be a
perfect match to identify the record to be removed.
I'm sure I could come up with a more compact way of identifying
a spf record but it wouldn't be needed if people published type
SPF.
> > The complains about using SPF is that there are broken
>p > firewalls and some servers drop queries for it, some registars
> > don't support it.
>
> Nits, as explained below. The basic fact that killed the SPF type is
> the ability to use TXT as a replacement. There must be an analogous
> of Gresham's law: "Bad types drive out good ones."
>
> > For firewalls, fix/replace the firewall if you intend to
> > deploy SPF and it doesn't support it. It is total !@##@#
> > that firewall are incapable of handling new DNS record
> > types. New records we exected to occur from the very
> > beginning and have been coming out regularly ever since the
> > DNS was invented. Firewall vendors that are incapable of
> > handling new DNS types are incompetent and do not deserve
> > repeat business.
> >
> > For servers than drop SPF queries they really are at the
> > noise level. When you identify one you complain to the
> > owners of it. Yes, that does work. We needed to do that
> > for AAAA records.
> >
> > For registrars, change registrar to one that does.
>
> While it's too late for SPF, we can learn this lesson.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
