SPF on 9.4.1 now?

Mark Andrews Mark_Andrews at isc.org
Mon May 21 23:40:33 UTC 2007

> Måns Nilsson wrote:
> > --On tisdag, tisdag 22 maj 2007 00.36.43 +1000 Mark Andrews
> > <Mark_Andrews at isc.org> wrote:
> >   
> >> 	Which is a perfect reason to take the TXT records out.  If
> >> 	you keep the TXT record there then there in no incentive
> >> 	to upgrade / fix broken software.  People will be asking
> >> 	in 10 years time "Do we still need the TXT spf record?"
> >>     
> >
> > (I fully agree with Mark, btw)
> >
> > Which is why my second biggest issue with SPF is the ugly TXT hack. Ideas
> > like that create hard-to-overcome ambivalence in the name/interpretation
> > space. If you ever, ever contemplate to use TXT records for anything
> > besides data that is going to be read by humans using dig or host, take
> > notice. You will do DNS a disservice. (The largest issue is that SPF in all
> > is a ugly and stupid layering violation, but that is well off-topic)
> >
> > *steps of soap-box* 
> >   
> I will still recommend the path that is the only one I have really seen
> work:
> Make the new solution work so well that nobody wants to keep the old
> one. (Yes, I know that will take a long time.)
> If you remove txt-records, do you believe that will make all the people
> with 8.x.x BIND servers upgrade just now? (or even 4.7)? I did not think
> so, I also believe that more immidiate reasons will be needed for that
> to happen. All the bugs and vulnerabilities have not succeeded yet.

	The BIND 8 servers don't need to be upgraded.  The clients
	need to be upgrade.  BIND 8 will happily cache these records.
	As far as BIND 8 is concerned they are opaque blobs of data.
	Late BIND 8 will even load them using TYPE99 unknown type
	support, this is only need for authoratative servers.

	In this case the authoritative servers are clearly BIND 9
	so that's not a issue.

> That means that removing them will leave us without SPF in general; mail
> will survive, but with more spam accepted for human handling. Whos
> interest would that be?

	Upgrading a client to support SPF is usually as simple as
	s/T_TXT/99/ or equivalent.  If you want to support both
	you just add a loop.

	There is no need to keep using TXT records.  Those that
	want SPF protection can easily upgrade their clients.

	Clients that are worried about spam getting through will
	upgrade their systems.  Clients that aren't won't.

> In general I agree that a special RR-type is far preferable to txt-RRs.
> -- 
> Best regards
> Sten Carlsen
> No improvements come from shouting:
>        "MALE BOVINE MANURE!!!" 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list