check-names conflicts with SPF macro definition

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

check-names conflicts with SPF macro definition

Daniel Stirnimann
Hello all,

I changed SPF for switch.ch to use SPF macros (RFC 7208). I wanted to
use the "_spf" label but bind9 check-names complained with a "bad owner
name (check-names)" message.

I have now used "spf" instead of "_spf", e.g. exists:%{ir}.spf.switch.ch

I didn't want to disable check-names for switch.ch because of this
conflict. However, SPF record publishing is generally recommended to use
the "_spf" subdomain which is not possible in this case.

I guess, the only alternative would have been to make "_spf.switch.ch"
its own zone and set check-names for this zone statement to "ignore". Or
would this be a good reasons to loosen the check-names rules in bind9?

Thanks,
Daniel
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: check-names conflicts with SPF macro definition

Mark Andrews
SPF records are TXT record which are NOT subject to check-names processing.

If you created a seperate zone use nameservers that DO NOT live within the zone.
ns1._spf.switch.ch is NOT a legal hostname as it is not LDH.

> On 4 Jan 2021, at 20:01, Daniel Stirnimann <[hidden email]> wrote:
>
> Hello all,
>
> I changed SPF for switch.ch to use SPF macros (RFC 7208). I wanted to
> use the "_spf" label but bind9 check-names complained with a "bad owner
> name (check-names)" message.
>
> I have now used "spf" instead of "_spf", e.g. exists:%{ir}.spf.switch.ch
>
> I didn't want to disable check-names for switch.ch because of this
> conflict. However, SPF record publishing is generally recommended to use
> the "_spf" subdomain which is not possible in this case.
>
> I guess, the only alternative would have been to make "_spf.switch.ch"
> its own zone and set check-names for this zone statement to "ignore". Or
> would this be a good reasons to loosen the check-names rules in bind9?
>
> Thanks,
> Daniel
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: check-names conflicts with SPF macro definition

Daniel Stirnimann
Hello Mark,

the "exists" [1] macro results in A queries and the zone contains A
records. That's why the check-names processing applied.

Thanks for the hint regarding the nameserver hostnames.

Daniel

[1] https://tools.ietf.org/html/rfc7208#section-5.7

On 04.01.21 10:33, Mark Andrews wrote:

> SPF records are TXT record which are NOT subject to check-names processing.
>
> If you created a seperate zone use nameservers that DO NOT live within the zone.
> ns1._spf.switch.ch is NOT a legal hostname as it is not LDH.
>
>> On 4 Jan 2021, at 20:01, Daniel Stirnimann <[hidden email]> wrote:
>>
>> Hello all,
>>
>> I changed SPF for switch.ch to use SPF macros (RFC 7208). I wanted to
>> use the "_spf" label but bind9 check-names complained with a "bad owner
>> name (check-names)" message.
>>
>> I have now used "spf" instead of "_spf", e.g. exists:%{ir}.spf.switch.ch
>>
>> I didn't want to disable check-names for switch.ch because of this
>> conflict. However, SPF record publishing is generally recommended to use
>> the "_spf" subdomain which is not possible in this case.
>>
>> I guess, the only alternative would have been to make "_spf.switch.ch"
>> its own zone and set check-names for this zone statement to "ignore". Or
>> would this be a good reasons to loosen the check-names rules in bind9?
>>
>> Thanks,
>> Daniel
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users