0

When trying to construct a long SPF record in the form:

example.com.               86400  IN  TXT  "v=spf1 ip4:1.2.3.0/24 include:example.net include:_my_whitelist.example.com -all"
_my_whitelist.example.com. 86400  IN  TXT  "v=spf1 ip4:... " " ip4:..."

... such that the whitelist record is longer than 255 bytes. I understand that this is a valid way to construct longer DNS responses (http://www.openspf.org/RFC_4408#multiple-strings says they should be concatenated together and treated as one) and some resolvers are happy with this. Some, however, fail to resolve - for instance Ubuntu 18.04's resolver which claims there's no TXT record present.

This exibits when using the host command as:

$ host -t txt _my_whitelist.example.com
_my_whitelist.example.com has no TXT record
  1. Is this a bug in Ubuntu/systemd?
  2. Is there a better way to construct a long TXT/SPF record?
Patrick Mevzek
  • 10,581
  • 7
  • 35
  • 45
foo
  • 76

1 Answers1

0

Two possible issues seem to have come to light:

  1. Slightly broken DNS record (too long?)
  2. Ubuntu's systemd DNS resolver not being very nice

The DNS records we'd created were split on the 255 byte boundary. Dropping this to 248 bytes seems to have fixed the issues.

The Ubuntu resolver has expected behaviour where it doesn't offer a local TCP resolution service by default so host falling back to TCP to do the lookup was failing -- I think! https://github.com/systemd/systemd/issues/6520

foo
  • 76