Re: [dnsext] loads of TXT records for fun and profit
Phil Pennock <namedroppers+phil@spodhuis.org> Fri, 03 May 2013 23:31 UTC
Return-Path: <namedroppers+phil@spodhuis.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2EC121F8EB1 for <dnsext@ietfa.amsl.com>; Fri, 3 May 2013 16:31:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.729
X-Spam-Level: **
X-Spam-Status: No, score=2.729 tagged_above=-999 required=5 tests=[AWL=5.329, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZUDZbTDnY31I for <dnsext@ietfa.amsl.com>; Fri, 3 May 2013 16:31:12 -0700 (PDT)
Received: from mx.spodhuis.org (smtp.spodhuis.org [IPv6:2a02:898:31:0:48:4558:736d:7470]) by ietfa.amsl.com (Postfix) with ESMTP id D964B21F8681 for <dnsext@ietf.org>; Fri, 3 May 2013 16:31:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201210; h=Date:In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From; bh=bqIjgw2gVrUap9nWB8lvmojQAdOk9j1J24RCiOKb2f0=; b=fM4EEz/0FxokOX9Cf4XRg88uTPud5qtXmArSZ8/sG7y0iZLRXBNMFVyXjlD+AIm3gqGBUb8KEzuz4+chZWUL4uDHdMPfHmB+l8wsjXtpDi/0uraZynqfRrEQqCj098FGmQBSfUqqPsN0CLTNWbw8niXnmgxO1J2NJuqnMu3wd90=;
Received: from [::1] (port=56429 helo=localhost) (helo=localhost) by smtp.spodhuis.org with esmtp id 1UYPPu-0006OC-4A; Fri, 03 May 2013 23:31:11 +0000
From: Phil Pennock <namedroppers+phil@spodhuis.org>
To: David Conrad <drc@virtualized.org>
Message-ID: <20130503203921.GA22566.take2@redoubt.spodhuis.org>
References: <20130425013317.36729.qmail@joyce.lan> <80ADB3EE-17FD-4628-B818-801CB71BCBFE@virtualized.org> <alpine.BSF.2.00.1304242309150.38677@joyce.lan> <46778ED3-35A2-44B4-BE3C-AAC4F7B314FF@virtualized.org> <92BBD83F-676D-4B05-B927-4101DD5CAD3E@neustar.biz> <DC121025-A014-492B-AFAD-22CDE49D866E@rfc1035.com> <CAMm+Lwi4MAjX8BAk_ro9usf6AJo=1UERhGBJ1rUa-AbrX09dqg@mail.gmail.com> <E5E3F801-6490-48A8-A12F-A6561893D78A@icsi.berkeley.edu> <D00A1E79-40F2-4EFF-975C-8618C7AC750A@virtualized.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <D00A1E79-40F2-4EFF-975C-8618C7AC750A@virtualized.org>
Date: Fri, 03 May 2013 23:29:55 +0000
Cc: dnsext@ietf.org
Subject: Re: [dnsext] loads of TXT records for fun and profit
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2013 23:31:12 -0000
If folks can read this message, then it appears that my posting problems are caused by the IETF mail-system silently discarding mail with a BATV/PRVS sender. Reposting with that disabled. On 2013-05-03 at 08:59 -0700, David Conrad wrote: > Not really. The ABNF of SPF does not take into account the order of > RRs within an RRset is not guaranteed. The "v=spf1" version > discriminator does not prefix each "term", it only prefixes a "record" > and SPF terms can be split over multiple TXT records. That is not my understanding as a reader of RFC4408 and as someone who worked with the coder (and documented the results) for the handling of TXT records in a widespread MTA to be as flexible as possible and to support SPF-style lookups. (Exim, ${dnsdb...} stuff, used in some minimal setups when libspf2 is not used.) SPF can be split over multiple strings within a single TXT record but can not be split over multiple RR of type TXT. RFC 4408: ----------------------------8< cut here >8------------------------------ 3. SPF Records An SPF record is a DNS Resource Record (RR) that declares which hosts are, and are not, authorized to use a domain name for the "HELO" and "MAIL FROM" identities. Loosely, the record partitions all hosts into permitted and not-permitted sets (though some hosts might fall into neither category). [...] 3.1.2. Multiple DNS Records A domain name MUST NOT have multiple records that would cause an authorization check to select more than one record. See Section 4.5 for the selection rules. 3.1.3. Multiple Strings in a Single DNS record [...] 4.5. Selecting Records Records begin with a version section: record = version terms *SP version = "v=spf1" Starting with the set of records that were returned by the lookup, record selection proceeds in two steps: 1. Records that do not begin with a version section of exactly "v=spf1" are discarded. Note that the version section is terminated either by an SP character or the end of the record. A record with a version section of "v=spf10" does not match and must be discarded. 2. If any records of type SPF are in the set, then all records of type TXT are discarded. After the above steps, there should be exactly one record remaining and evaluation can proceed. If there are two or more records remaining, then check_host() exits immediately with the result of "PermError". If no matching records are returned, an SPF client MUST assume that the domain makes no SPF declarations. SPF processing MUST stop and return "None". ----------------------------8< cut here >8------------------------------
- Re: [dnsext] Obsoleting SPF RRTYPE Masataka Ohta
- [dnsext] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Mark Andrews
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Masataka Ohta
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Måns Nilsson
- Re: [dnsext] Obsoleting SPF RRTYPE and deprecate … Douglas Otis
- Re: [dnsext] Obsoleting SPF RRTYPE Andrew Sullivan
- Re: [dnsext] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] Obsoleting SPF RRTYPE Andrew Sullivan
- Re: [dnsext] Obsoleting SPF RRTYPE Dave Lawrence
- Re: [dnsext] Obsoleting SPF RRTYPE Paul Hoffman
- Re: [dnsext] Obsoleting SPF RRTYPE Andrew Sullivan
- Re: [dnsext] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Måns Nilsson
- Re: [dnsext] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Paul Hoffman
- Re: [dnsext] Obsoleting SPF RRTYPE Jim Reid
- Re: [dnsext] Obsoleting SPF RRTYPE Warren Kumari
- Re: [dnsext] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Dotzero
- Re: [dnsext] Obsoleting SPF RRTYPE Joe Abley
- Re: [dnsext] Obsoleting SPF RRTYPE Joe Abley
- Re: [dnsext] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] Obsoleting SPF RRTYPE Warren Kumari
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Pete Resnick
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Warren Kumari
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Warren Kumari
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] Obsoleting SPF RRTYPE Pete Resnick
- Re: [dnsext] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] Obsoleting SPF RRTYPE Pete Resnick
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Hector Santos
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Pete Resnick
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Noel David Torres Taño
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Mark Andrews
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Nicholas Weaver
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Nicholas Weaver
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Barry Leiba
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Mark Andrews
- Re: [dnsext] Obsoleting SPF RRTYPE Havard Eidnes
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Hector Santos
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Dave Crocker
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Dave Crocker
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] Obsoleting SPF RRTYPE Mark Andrews
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Noel David Torres Taño
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Dave Crocker
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Hector Santos
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Scott Kitterman
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Scott Kitterman
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Hector Santos
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] Obsoleting SPF RRTYPE Edward Lewis
- [dnsext] loads of TXT records for fun and profit Jim Reid
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] Obsoleting SPF RRTYPE Phillip Hallam-Baker
- Re: [dnsext] loads of TXT records for fun and pro… Phillip Hallam-Baker
- Re: [dnsext] loads of TXT records for fun and pro… Nicholas Weaver
- Re: [dnsext] loads of TXT records for fun and pro… Mark Andrews
- Re: [dnsext] loads of TXT records for fun and pro… Phillip Hallam-Baker
- Re: [dnsext] loads of TXT records for fun and pro… Ted Lemon
- Re: [dnsext] loads of TXT records for fun and pro… Phillip Hallam-Baker
- Re: [dnsext] loads of TXT records for fun and pro… Joe Abley
- Re: [dnsext] loads of TXT records for fun and pro… David Conrad
- Re: [dnsext] loads of TXT records for fun and pro… Phillip Hallam-Baker
- [dnsext] SPF, a cautionary tale John Levine
- Re: [dnsext] loads of TXT records for fun and pro… Nicholas Weaver
- Re: [dnsext] loads of TXT records for fun and pro… David Conrad
- Re: [dnsext] loads of TXT records for fun and pro… David Conrad
- Re: [dnsext] loads of TXT records for fun and pro… Doug Barton
- Re: [dnsext] loads of TXT records for fun and pro… Murray S. Kucherawy
- Re: [dnsext] loads of TXT records for fun and pro… Doug Barton
- Re: [dnsext] loads of TXT records for fun and pro… Phil Pennock
- Re: [dnsext] loads of TXT records for fun and pro… Phil Pennock
- Re: [dnsext] loads of TXT records for fun and pro… John Levine
- Re: [dnsext] loads of TXT records for fun and pro… David Miller
- Re: [dnsext] loads of TXT records for fun and pro… John Levine
- Re: [dnsext] SPF, a cautionary tale bmanning
- Re: [dnsext] SPF, a cautionary tale John R Levine
- Re: [dnsext] SPF, a cautionary tale Douglas Otis
- Re: [dnsext] SPF, a cautionary tale bmanning
- Re: [dnsext] SPF, a cautionary tale Douglas Otis
- Re: [dnsext] SPF, a cautionary tale bmanning
- Re: [dnsext] SPF, a cautionary tale Mark Andrews
- Re: [dnsext] SPF, a cautionary tale Murray S. Kucherawy
- Re: [dnsext] SPF, a cautionary tale Murray S. Kucherawy
- Re: [dnsext] SPF, a cautionary tale Mark Andrews
- Re: [dnsext] SPF, a cautionary tale Murray S. Kucherawy
- Re: [dnsext] SPF, a cautionary tale Doug Barton
- Re: [dnsext] SPF, a cautionary tale bmanning
- Re: [dnsext] SPF, a cautionary tale Murray S. Kucherawy
- Re: [dnsext] SPF, a cautionary tale Mark Andrews
- Re: [dnsext] SPF, a cautionary tale Phillip Hallam-Baker
- Re: [dnsext] SPF, a cautionary tale Mark Andrews
- Re: [dnsext] loads of TXT records for fun and pro… Florian Weimer