Am 21.10.2015 um 19:48 schrieb btb:
are spf records allowed to be a cname? e.g.:http://dpaste.com/0MR0R3C.txt is this explicitly addressed in an rfc?
a CNAME is always followed, hence you can't mix CNAME and other ressource types, in other words: yes
otherwise you would need a SPF record for any subdomain existing as CNAME to prevent forged mail with @subdomain.example.com (a proper SPF suppoting domain has a SPF record for any existing hostname) as envelope and since "CNAME and others" is not allowed - again: yes
http://www.openspf.org/FAQ/Common_mistakes#helo [harry@srv-rhsoft:~]$ nslookup access.thelounge.net 8.8.8.8 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: access.thelounge.net canonical name = arrakis.thelounge.net. Name: arrakis.thelounge.net Address: 91.118.73.6 [harry@srv-rhsoft:~]$ dig TXT access.thelounge.net @8.8.8.8 ;; ANSWER SECTION: access.thelounge.net. 21599 IN CNAME arrakis.thelounge.net.arrakis.thelounge.net. 21599 IN TXT "v=spf1 a ip4:91.118.73.0/24 ip4:95.129.202.170 -all"
_______________________________________ what do i mean with "is always followed"?well, it don't matter for which ressource type you ask, first the CNAME is resolved and the second DNS request than asks that name for the record type (in case the CNAME points to a differnet domain not hosted on the same nameserver it's the clients job to do so because the origin server won't allow recursion if it is proper configured)
[harry@srv-rhsoft:~]$ dig SPF access.thelounge.net @8.8.8.8 ;; ANSWER SECTION: access.thelounge.net. 21599 IN CNAME arrakis.thelounge.net.arrakis.thelounge.net. 21599 IN SPF "v=spf1 a ip4:91.118.73.0/24 ip4:95.129.202.170 -all"
[harry@srv-rhsoft:~]$ dig SPF www.rhsoft.net @8.8.8.8 ;; ANSWER SECTION: www.rhsoft.net. 21599 IN CNAME proxy.thelounge.net.proxy.thelounge.net. 21599 IN SPF "v=spf1 a ip4:91.118.73.0/24 ip4:95.129.202.170 -all"
signature.asc
Description: OpenPGP digital signature
