Le 05/06/2024 à 15:58, Matus UHLAR - fantomas via Postfix-users a écrit :
Le 05/06/2024 à 14:01, Matus UHLAR - fantomas via Postfix-users a
écrit :
What I mean is: wildcard TXT (SPF) record for
*.single-wild.porcupine.org only applies to wildcarded hosts, not to
any other record explicitly defined in single-wild.porcupine.org zone.
Thus, when A record for mail01-t122.raystedman.org already exists,
the *.raystedman.org TXT record will not cover it and explicit TXT
for mail01-t122.raystedman.org must be created (I see it's been done)
On 05.06.24 14:55, Emmanuel Fusté via Postfix-users wrote:
No wildcard are for the defined record type.
A A record will not clobber a corresponding wildcard TXT record.
These are two separate record.
RFC 1034 point 4.3.3
Wildcard RRs do not apply:
[...]
- When the query name or a name between the wildcard domain and
the query name is know to exist. For example, if a wildcard
RR has an owner name of "*.X", and the zone also contains RRs
attached to B.X, the wildcards would apply to queries for name
Z.X (presuming there is no explicit information for Z.X), but
not to B.X, A.B.X, or X.
RFC 4592 section 2.2.1
*.example. 3600 TXT "this is a wildcard"
*.example. 3600 MX 10 host1.example.
[...]
host1.example. 3600 A 192.0.2.1
[...]
The following responses would not be synthesized from any of the
wildcards in the zone:
QNAME=host1.example., QTYPE=MX, QCLASS=IN
because host1.example. exists
Simply said, "*" works only for domains that do not exist and queries
for which would return NXDOMAIN, not for anything that exists and
query for it would return NOERROR/NODATA
Returning to original issue, that's why you must expliticly configure
SPF record to every explicitly configured A,AAAA or MX record, if you
want SPF to apply - wildcards don't apply there.
mail.example.com A 192.0.2.1
mail.example.com TXT "v=spf1 a -all"
- query for mail.example.com will only return one of these
*.example.com A 192.0.2.2
*.example.com TXT "v=spf1 -all"
and/or perhaps:
*.example.com MX .
- these won't be returned for mail.example.com.
But if you delete the mail.example.com TXT record, the TXT wildcard
record will be returned for mail.example.com TXT requests.
As a proof of concept I have configured this on my bind server and
observation matches what I have said.
Feel free to check at my server 195.80.174.185 (I will remove it in
short time)
Does your nameserver work differently?
Honestly, this clobbering is something that was completely out of my memory.
The only recommendation is do not use wilcard. Always use provisioning.
One good paper on the subject:
https://www.isc.org/docs/2022-webinar-dns-wildcards.pdf
Same conclusion: avoid wildcards.
Emmanuel.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
