Le 05/06/2024 à 14:01, Matus UHLAR - fantomas via Postfix-users a écrit :
What I mean is: wildcard TXT (SPF) record for
*.single-wild.porcupine.org only applies to wildcarded hosts, not to
any other record explicitly defined in single-wild.porcupine.org
zone.
Thus, when A record for mail01-t122.raystedman.org already exists,
the *.raystedman.org TXT record will not cover it and explicit TXT
for mail01-t122.raystedman.org must be created (I see it's been
done)
On 05.06.24 14:55, Emmanuel Fusté via Postfix-users wrote:
No wildcard are for the defined record type.
A A record will not clobber a corresponding wildcard TXT record. These
are two separate record.
RFC 1034 point 4.3.3
Wildcard RRs do not apply:
[...]
- When the query name or a name between the wildcard domain and
the query name is know to exist. For example, if a wildcard
RR has an owner name of "*.X", and the zone also contains RRs
attached to B.X, the wildcards would apply to queries for name
Z.X (presuming there is no explicit information for Z.X), but
not to B.X, A.B.X, or X.
RFC 4592 section 2.2.1
*.example. 3600 TXT "this is a wildcard"
*.example. 3600 MX 10 host1.example.
[...]
host1.example. 3600 A 192.0.2.1
[...]
The following responses would not be synthesized from any of the
wildcards in the zone:
QNAME=host1.example., QTYPE=MX, QCLASS=IN
because host1.example. exists
Simply said, "*" works only for domains that do not exist and queries for
which would return NXDOMAIN, not for anything that exists and query for
it would return NOERROR/NODATA
Returning to original issue, that's why you must expliticly configure SPF
record to every explicitly configured A,AAAA or MX record, if you want SPF
to apply - wildcards don't apply there.
mail.example.com A 192.0.2.1
mail.example.com TXT "v=spf1 a -all"
- query for mail.example.com will only return one of these
*.example.com A 192.0.2.2
*.example.com TXT "v=spf1 -all"
and/or perhaps:
*.example.com MX .
- these won't be returned for mail.example.com.
But if you delete the mail.example.com TXT record, the TXT wildcard
record will be returned for mail.example.com TXT requests.
As a proof of concept I have configured this on my bind server and
observation matches what I have said.
Feel free to check at my server 195.80.174.185 (I will remove it in short
time)
Does your nameserver work differently?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
