In message <0c3746c3-dac1-471f-bd07-8faf20481337@xxxxxxxxxxxxxxxxx>, Scott Kitterman writes: > > > Mark Andrews <marka@xxxxxxx> wrote: > > > >In message <20130821214832.1C92538C0230@xxxxxxxxxxxxxxxx>, Mark Andrews > >writes: > >> > It's primarily an issue for applications. To the DNS, it's exactly > >what it > >> > is, a TXT record. > > > >I can hand update of A and AAAA records to the machine. > >I can hand update of MX records to the mail adminstrator. > >I can hand update of SPF records to the mail adminstrator. > >I can hand update of TXT records to ?????? > > No one because it has multiple uses. This is true whether SPF exists or not. SPF use of RRTYPE TXT for SPF records mak > es that neither better nor worse. > > You could publish: > > example.com IN TXT v=spf1 redirect=_spf.example.com > _spf.example. com IN TXT v=spf1 [actual content here] > > Then delegate _spf.example.com to the mail administrator. Problem solved. No, it is NOT solved. You have to trust *everyone* with the ability to update TXT not to remove / alter that record. You can't give someone you don't trust the ability to update TXT. With a published SPF record and SPF lookup first stopping on success or lookup failure (SERVFAIL) you can give update control of TXT to someone you don't trust enough to not remove / alter the SPF TXT record. You keep telling us the TXT is just another record in the DNS. Well the DNS is managed at the granuality of the TYPE. 4408bis is forcing sub-type management to be developed and deployed to maintain the status quo. TXT is no longer "just another record in the DNS" with 4408bis as it currently stands. And to Google your motto is "Do No Evil". Publishing a TXT SPF record without publish a SPF SPF record is "Evil" as it encourages other to do the same. Mark > Scott K -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx