Re: [Asrg] misconception in SPF

[Alessandro Vesely <vesely@tana.it>]

On Sun 09/Dec/2012 00:38:10 +0100 Andrew Sullivan wrote:
> On Sat, Dec 08, 2012 at 07:43:03PM +0100, Alessandro Vesely wrote:
> 
>> Aren't there generic (i.e. non spf-specific) DNS conventions for
>> publishing such relationships?
> 
> No, but comments on
> http://tools.ietf.org/html/draft-sullivan-domain-origin-assert-02
> would be most welcome.

Those SOPA records, at least in the "names-only" strategy, would be an
easy way to lightheartedly use wildcard records so as to cover all the
subdomains.  I'm surprised there are no established hacks, such as
capturing part of the SOA, as it might be part of a negative reply to
a TXT query, e.g. RNAME =~ /hostmaster\.([-.a-z0-9]{2,63})/i.

While RNAMEs may get filled in unwittingly of such use, SOPA is sound
because of the clearness of its semantics.  However, it is also true
that its precise meaning depends on the kind of policy.  One then has
to turn to "port-and-scheme" strategy, and complicate the subject
beyond ease of reach.  In comparison, the overloaded-redirect hack has
some nice properties:

*semantics*:  the same mail abuse team looks after both domains.

*hierarchy*:  a loop entails the setup is broken.

*conciseness*:  the vertex must be reachable withing 10 queries.

*awareness*:  SPF never suggested to use redirect for helo records, so
anyone using it must be aware of it.  For a more stringent check, it
could be conceived as, say, redirect=_spf_policy_hack.master.tld.

That doesn't address the OP concern about non-mailing subdomains,
albeit in some cases it can.  It just reduces the number of entries in
a receiver's senders database.  Since each of those entries is likely
to cost some fraction of human operator's time, reducing them seems to
be worth an extra lookup on each message.