This addresses https://github.com/jschauma/spf/issues/4 and allows
'spf -r 2620:fe::fe' as well as 'spf -r dns.quad9.net'.
This of course means that we need to use the local default resolver
to resolve the given name before we then use the IP addresses of
the given resolver.
On certain older versions of Net::DNS, larger DNS records are returned using
( "data"
"data )
_with_ the parenthesis; using $rr->rdstring would then lead to a string
that won't match our regex. Instead, use $rr->txtdata after ensuring
we are dealing with a TXT record.
Reported by Amier Saleh
Previously, we simply counted all IPs plus the sizes of all CIDRs
we encountered. However, it's possible for some of the IPs to
be within a CIDR, or for there to be overlapping CIDRs.
With this commit, we now laboriously keep track of all CIDRs,
add individual IPs as /32 or /128 CIDRs, and then dedupe the
CIDRs before counting the total IPs.
Yes, this is a whole lot of change for something that rarely
happens.
RFC7208 does indeed appear to mandate a double slash, and miscellaneous
online validators expect it, suggesting that whether this was the intention
or not, we want to match only the following:
a
a:domain
a:domain/v4cidr
a:domain/v4cidr//v6cidr
a:domain//v6cidr
a/v4cidr
a/v4cidr//v6cidr
a//v6cidr
(and likewise for mx).
See https://www.netmeister.org/blog/spf.html for a longer discussion.
NAME
spf - report on the given domain's use of SPF
SYNOPSIS
spf [-Vhjv] [-r address] domain
DESCRIPTION
The spf tool allows you to inspect the Sender Policy Framework DNS records
for the given domain.
OPTIONS
The following options are supported by spf:
-V Print version information and exit.
-h Display help and exit.
-j Generate output in json format.
-r address Explicitly query this resolver.
-v Be verbose. Can be specified multiple times.
DETAILS
The Sender Policy Framework (SPF) defined in RFC7208 specifies the format
for the SPF DNS entries a domain may choose to apply. These entries can
range from the straight forward to the complex, harboring certain surprises
or unintenionally obscuring important information, such as when one domain
includes the SPF records of another domain.
spf can be used to report on the comprehensive ruleset derived from the DNS
record. It does that by counting CIDRs, resolving e.g., MX records, and
recursively looking up SPF records of any included domains.
EXAMPLES
The following examples illustrate common usage of this tool.
To report on the SPF records for the domain netmeister.org:
spf netmeister.org
To query Quad9's public resolver for the same SPF records and report the
results in json format:
spf -r 2620:fe::fe -j netmeister.org
EXIT STATUS
The spf utility exits 0 on success, and >0 if an error occurs.
SEE ALSO
dig(1)
HISTORY
spf was originally written by Jan Schaumann <jschauma@netmeister.org> in
July 2022.
BUGS
Please file bugs and feature requests by emailing the author.
Jan Schaumann
Randolf Richardson 張文道