Ironically, I always wondered why I was told not to publish SPF records, since it did make more sense to have both, and slowly remove the TXT records later. Thanks for the heads up… What do you think really is best practice now? Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300
On Sep 15, 2016, at 7:30 PM, Mark Andrews <marka@isc.org> wrote:
So your helpdesks don't get problem reports when people can't look up domain names? Recursive DNS vendors don't get bug reports when domain names can't be looked up. We don't get fixes developed because there are too many broken servers out there.
Because some servers don't answer EDNS requests this leads to false positives on servers not support EDNS when they do. This in turn leads to DNSSEC validation failures as you don't get DNSSEC answers without EDNS.
IPv6 deployment was put back years because AAAA DNS lookups got wrong answers.
DANE deployment is slow because DNS servers give bad answers to _<port>._tcp.<server-name>/TLSA.
Then there is SPF. A fare portion of the reason why the SPF record failed, despite it being architectually cleaner than using TXT records, is that some nameservers gave bad responses to SPF queries.
I could go find more examples of the cost of non DNS protocol compliance. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org <mailto:marka@isc.org>