On Sep 2, 2013, at 5:54 AM, Phillip Hallam-Baker <hallam@xxxxxxxxx> wrote:
Dear Phillip, It seems many of the larger providers are unwilling to process SPF macros due to inherent risks and inefficiency. Rather than accessing data using the DNS resource selectors of Name, Type, and Class, SPF uses mechanisms above DNS to utilize an additional domain, IP address, and email address input parameters merged with results generated from a series of proscribed DNS transactions. The macro feature was envisioned as leveraging these additional inputs to influence query construction. It seems lack of support by large providers has ensured scant few macros are published. in the beginning, there were several wanting a macro language to managing DNS processing with little idea where this would be headed. At the time there was already a dedicated binary resource record able to fully satisfied the information now obtained and used from SPF. Policy aspects of SPF are largely ignored due to exceptions often required. An SRV resource record resolving the location of a service could include an APL RR with CIDR information of all outbound IP addresses. This would offer load balancing and system priorities, while mapping outbound address space within two DNS transactions instead of the 111 recursive transactions expected by SPF. If one were starting over, DANE TLS or DTLS is a better solution that should be even easier to administer since it avoids a need to trust IP addresses and NATs. As with PKI, there are too many actors influencing routing's integrity. Regards, Douglas Otis |