On Sun, Feb 23, 2020 at 06:44:34PM -0500, Mohamed Lrhazi wrote:
> record flattening is the process of replacing include, and other lookup
> generating mechanisms, with their resulting ip addresses.
> My question is how many IPs can one put in a single spf record?
>
> It appears the RFC does not touch on this, so I guess it’s left to the
> implementors to decide, and from my limited tests it seems to vary a lot.
The most recent BCP recommendation for UDP DNS buffer size selection is
1232 bytes. Therefore your TXT record along with any other DNS overhead
(including any DNSSEC signatures if your domain is signed) should fit
into at most 1232 bytes. You can test with:
dig +norecur +dnssec +novc -t txt example.com @ns1.example.com
(where ns1.example.com is replaced by a suitable authoritative
server for the domain), and see how big the response is.
Some resolvers may limit DNS resposes further, and responses of 512
bytes or less are sure to be sufficiently small.
FWIW, google seems to have comparatively small SPF text records, and
even advertises 512 bytes as the EDNS buffer size, but google.com is
unsigned, so the small UDP limit becomes more practical.
$ dig +norecur +dnssec +novc -t txt _netblocks.google.com @ns1.google.com
...
_netblocks.google.com. 3600 IN TXT "v=spf1 ip4:35.190.247.0/24
ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18
ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17
ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"
...
;; MSG SIZE rcvd: 286
$ dig +norecur +dnssec +novc -t txt _netblocks2.google.com @ns1.google.com
...
_netblocks2.google.com. 3600 IN TXT "v=spf1
ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36
ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"
...
;; MSG SIZE rcvd: 218
--
Viktor.
