IETF Logo Mail Archive

Re: [dnsext] loads of TXT records for fun and profit

Phil Pennock <namedroppers+phil@spodhuis.org> Fri, 03 May 2013 23:31 UTC

Return-Path: <namedroppers+phil@spodhuis.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2EC121F8EB1 for <dnsext@ietfa.amsl.com>; Fri, 3 May 2013 16:31:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.729
X-Spam-Level: **
X-Spam-Status: No, score=2.729 tagged_above=-999 required=5 tests=[AWL=5.329, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZUDZbTDnY31I for <dnsext@ietfa.amsl.com>; Fri, 3 May 2013 16:31:12 -0700 (PDT)
Received: from mx.spodhuis.org (smtp.spodhuis.org [IPv6:2a02:898:31:0:48:4558:736d:7470]) by ietfa.amsl.com (Postfix) with ESMTP id D964B21F8681 for <dnsext@ietf.org>; Fri, 3 May 2013 16:31:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201210; h=Date:In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From; bh=bqIjgw2gVrUap9nWB8lvmojQAdOk9j1J24RCiOKb2f0=; b=fM4EEz/0FxokOX9Cf4XRg88uTPud5qtXmArSZ8/sG7y0iZLRXBNMFVyXjlD+AIm3gqGBUb8KEzuz4+chZWUL4uDHdMPfHmB+l8wsjXtpDi/0uraZynqfRrEQqCj098FGmQBSfUqqPsN0CLTNWbw8niXnmgxO1J2NJuqnMu3wd90=;
Received: from [::1] (port=56429 helo=localhost) (helo=localhost) by smtp.spodhuis.org with esmtp id 1UYPPu-0006OC-4A; Fri, 03 May 2013 23:31:11 +0000
From: Phil Pennock <namedroppers+phil@spodhuis.org>
To: David Conrad <drc@virtualized.org>
Message-ID: <20130503203921.GA22566.take2@redoubt.spodhuis.org>
References: <20130425013317.36729.qmail@joyce.lan> <80ADB3EE-17FD-4628-B818-801CB71BCBFE@virtualized.org> <alpine.BSF.2.00.1304242309150.38677@joyce.lan> <46778ED3-35A2-44B4-BE3C-AAC4F7B314FF@virtualized.org> <92BBD83F-676D-4B05-B927-4101DD5CAD3E@neustar.biz> <DC121025-A014-492B-AFAD-22CDE49D866E@rfc1035.com> <CAMm+Lwi4MAjX8BAk_ro9usf6AJo=1UERhGBJ1rUa-AbrX09dqg@mail.gmail.com> <E5E3F801-6490-48A8-A12F-A6561893D78A@icsi.berkeley.edu> <D00A1E79-40F2-4EFF-975C-8618C7AC750A@virtualized.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <D00A1E79-40F2-4EFF-975C-8618C7AC750A@virtualized.org>
Date: Fri, 03 May 2013 23:29:55 +0000
Cc: dnsext@ietf.org
Subject: Re: [dnsext] loads of TXT records for fun and profit
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2013 23:31:12 -0000

If folks can read this message, then it appears that my posting problems are
caused by the IETF mail-system silently discarding mail with a BATV/PRVS
sender.  Reposting with that disabled.

On 2013-05-03 at 08:59 -0700, David Conrad wrote:
> Not really. The ABNF of SPF does not take into account the order of
> RRs within an RRset is not guaranteed. The "v=spf1" version
> discriminator does not prefix each "term", it only prefixes a "record"
> and SPF terms can be split over multiple TXT records.

That is not my understanding as a reader of RFC4408 and as someone who
worked with the coder (and documented the results) for the handling of
TXT records in a widespread MTA to be as flexible as possible and to
support SPF-style lookups.  (Exim, ${dnsdb...} stuff, used in some
minimal setups when libspf2 is not used.)

SPF can be split over multiple strings within a single TXT record but
can not be split over multiple RR of type TXT.

RFC 4408:
----------------------------8< cut here >8------------------------------
3.  SPF Records

   An SPF record is a DNS Resource Record (RR) that declares which hosts
   are, and are not, authorized to use a domain name for the "HELO" and
   "MAIL FROM" identities.  Loosely, the record partitions all hosts
   into permitted and not-permitted sets (though some hosts might fall
   into neither category).
[...]
3.1.2.  Multiple DNS Records


   A domain name MUST NOT have multiple records that would cause an
   authorization check to select more than one record.  See Section 4.5
   for the selection rules.

3.1.3.  Multiple Strings in a Single DNS record
[...]
4.5.  Selecting Records

   Records begin with a version section:

   record           = version terms *SP
   version          = "v=spf1"

   Starting with the set of records that were returned by the lookup,
   record selection proceeds in two steps:

   1. Records that do not begin with a version section of exactly
      "v=spf1" are discarded.  Note that the version section is
      terminated either by an SP character or the end of the record.  A
      record with a version section of "v=spf10" does not match and must
      be discarded.

   2. If any records of type SPF are in the set, then all records of
      type TXT are discarded.

   After the above steps, there should be exactly one record remaining
   and evaluation can proceed.  If there are two or more records
   remaining, then check_host() exits immediately with the result of
   "PermError".

   If no matching records are returned, an SPF client MUST assume that
   the domain makes no SPF declarations.  SPF processing MUST stop and
   return "None".
----------------------------8< cut here >8------------------------------

v2.23.0 | Report a Bug | By Email