[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems using dnswl for SPF

Subject: Re: Problems using dnswl for SPF
From: Patrick Domack <patrickdk@xxxxxxxxxxxxx>
Date: Sun, 17 Jan 2016 21:55:47 -0500

You are abusing other peoples dns, the list.dnswl.org to do this.

You also assume, that the other people looking up your request, don'tlookup anything else. You are assuming your the first and only one todo this. This is a bad basis to use a service that you know limits thenumber of uses allowed, and depend on it to work.



Quoting Alessandro Vesely <vesely@xxxxxxx>:

Hi Matthias and all,

SPF specs include an appendix which details how to avoid to break forwarding:
https://tools.ietf.org/html/rfc7208#appendix-D

I'm trying D.1:

   v=spf1 +ip4:my.ip.add.ress ?exists:%{ir}.list.dnswl.org -all

but sometimes it doesn't work well.


*Problem 1*
-----------

I heard from Google that they get errors evaluating "exists".  Instead of:

Host 102.1.64.64.list.dnswl.org not found: 3(NXDOMAIN)

They get:

Host 102.1.64.64.list.dnswl.org not found: 5(REFUSED)

and trying from my non-google server:

Host 102.1.64.64.list.dnswl.org not found: 2(SERVFAIL)


Note that I issue a tiny number of messages, and my setup is not so common.
So, I don't think Google issues too many queries due to SPF evaluation.  Even
in that case, those errors are at odds with DNSWL specs:

   Special return code 127.0.0.255

   In cases where your nameserver issues more than 100’000 queries / 24
   hours, you may be blocked from further queries. The return code
   “127.0.0.255” indicates this situation.
                                      https://www.dnswl.org/?page_id=15

Any idea where do those errors originate?


*Problem 2*
-----------

Another problem is how can subscribers manage that situation.  When I need to
test my own SPF record, I end up querying list.dnswl.org, although I have a
local copy of it.  That's because the local copy has a different DNS name,
which is only valid in internal view.  Can this be fixed?

Setting up a local override of list.dnswl.org looks cumbersome. Itseems to besimpler to instruct an SPF evaluator to map list.dnswl.org to alocal copy, if

available, for the purpose of evaluating SPF records.  Any other suggestion,
anyone?

Ale

Follow-Ups:
Re: Problems using dnswl for SPF	Alessandro Vesely <vesely@xxxxxxx>

References:
Problems using dnswl for SPF	Alessandro Vesely <vesely@xxxxxxx>