In message <517FF144.5040600@xxxxxxx>, Alessandro Vesely writes: > On Tue 30/Apr/2013 01:07:42 +0200 Mark Andrews wrote: > > > > The really annoying thing is that SPF is techically superior > > to TXT is lots of ways. > > > > 1. It uniquely identifies the roll of the record. > > > > 2. As SPF records are singletons you don't need to identify > > and remove the old record when updating. You can just > > remove all SPF record and add the replacement. > > > > For TXT you need to lookup the existing RRset, extract > > the v=spf1 record from it. You then need to create a > > UPDATE message to delete just that record as well as add > > the new TXT record. You then have to hope that no one > > else is performing a simultanious update as you may get > > two TXT v=spf1 records in the RRset. > > That's true, except that one has TXT records anyway. nsupdate update del example.com SPF update add example.com 3600 SPF v=spf1 .... send txt=`dig +short example.com TXT | \ sed -n -e '/^"v=spf1 /s/^/update del example.com TXT /p' \ -e '/^"v=spf1"$/^/update del example.com TXT /p'` nsupdate << EOF $txt update add example.com 3600 TXT v=spf1 .... send EOF But that doesn't work for 'example.com TXT "v" "=" "s" "p" "f" "1"' which is a perfectly legal SPF record. sed -n -e '/^"v=spf1 /s/^/update del example.com TXT /p' \ -e '/^"v" "=spf1 /s/^/update del example.com TXT /p' \ -e '/^"v" "=" "spf1 /s/^/update del example.com TXT /p' \ -e '/^"v" "=" "s" "pf1 /s/^/update del example.com TXT /p' \ -e '/^"v" "=" "s" "p" "f1 /s/^/update del example.com TXT /p' \ -e '/^"v" "=" "s" "p" "f" "1 /s/^/update del example.com TXT /p' \ -e '/^"v" "=" "s" "p" "f" "1" " /s/^/update del example.com TXT /p' \ -e '/^"v=spf1"$/^/update del example.com TXT /p'` And keep going because the delete needs the rdata to be a perfect match to identify the record to be removed. I'm sure I could come up with a more compact way of identifying a spf record but it wouldn't be needed if people published type SPF. > > The complains about using SPF is that there are broken >p > firewalls and some servers drop queries for it, some registars > > don't support it. > > Nits, as explained below. The basic fact that killed the SPF type is > the ability to use TXT as a replacement. There must be an analogous > of Gresham's law: "Bad types drive out good ones." > > > For firewalls, fix/replace the firewall if you intend to > > deploy SPF and it doesn't support it. It is total !@##@# > > that firewall are incapable of handling new DNS record > > types. New records we exected to occur from the very > > beginning and have been coming out regularly ever since the > > DNS was invented. Firewall vendors that are incapable of > > handling new DNS types are incompetent and do not deserve > > repeat business. > > > > For servers than drop SPF queries they really are at the > > noise level. When you identify one you complain to the > > owners of it. Yes, that does work. We needed to do that > > for AAAA records. > > > > For registrars, change registrar to one that does. > > While it's too late for SPF, we can learn this lesson. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx