Re: [dnsext] SPF, a cautionary tale

Mark Andrews <marka@isc.org> Tue, 07 May 2013 14:45 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5900E21F8E75 for <dnsext@ietfa.amsl.com>; Tue, 7 May 2013 07:45:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id irz8uGXsltrI for <dnsext@ietfa.amsl.com>; Tue, 7 May 2013 07:45:23 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 5562F21F8616 for <dnsext@ietf.org>; Tue, 7 May 2013 07:45:23 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id E2CA75F98E6; Tue, 7 May 2013 14:45:11 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1367937922; bh=F9gu9wpceXId3tnX8ksTjRF4t05VdC7C4XgeaCwfVJA=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=qpr+k0ChbpLZj4JnzHUUgExLipNyO88ah6YDq4Lhc0JPcM/ogeXosU+pGQbV11/59 dUXsCf7WQ06TqFseoo77lrbBni8GmBDpHEjwVr0xuZvu2YmVkPoNw2fvID/kj+UCWz pgvP+tKzxn+yXIW51Me0j2BsJBDCLyQnQwnACxHI=
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:5c2a:7407:e708:cbb]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 46003216C43; Tue, 7 May 2013 14:45:10 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [IPv6:::1]) by drugs.dv.isc.org (Postfix) with ESMTP id BEB2D33F8406; Wed, 8 May 2013 00:44:16 +1000 (EST)
To: "Murray S. Kucherawy" <superuser@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <8D23D4052ABE7A4490E77B1A012B63077516EA82@mbx-01.win.nominum.com> <20130503171843.39672.qmail@joyce.lan> <20130504133312.GA27772@vacation.karoshi.com.> <alpine.BSF.2.00.1305041103360.8602@joyce.lan> <20130505012216.GA29079@vacation.karoshi.com.> <alpine.BSF.2.00.1305042223280.10848@joyce.lan> <20130505032549.GA30757@vacation.karoshi.com.> <alpine.BSF.2.00.1305042327490.11044@joyce.lan> <20130505085348.GA6061@vacation.karoshi.com.> <20130505110635.0D83433E9BFC@drugs.dv.isc.org> <CAL0qLwa-fWyB2NtVdMu02-iz8ZWnYo3+PJ4qFtxYeWe=KQtiwA@mail.gmail.com> <20130506011236.A1AD633EB06B@drugs.dv.isc.org> <CAL0qLwaiL64XLxyKX2i94NAfAvMOqJwfdL3R9oB01FxJ=VEEsg@mail.gmail.com>
In-reply-to: Your message of "Mon, 06 May 2013 01:31:16 -0700." <CAL0qLwaiL64XLxyKX2i94NAfAvMOqJwfdL3R9oB01FxJ=VEEsg@mail.gmail.com>
Date: Wed, 08 May 2013 00:44:16 +1000
Message-Id: <20130507144416.BEB2D33F8406@drugs.dv.isc.org>
Cc: bmanning@vacation.karoshi.com, "dnsext@ietf.org Group" <dnsext@ietf.org>
Subject: Re: [dnsext] SPF, a cautionary tale
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2013 14:45:24 -0000

In message <CAL0qLwaiL64XLxyKX2i94NAfAvMOqJwfdL3R9oB01FxJ=VEEsg@mail.gmail.com>, "Murray S. Kucherawy" writes:
> --047d7b86de323cd4af04dc088666
> Content-Type: text/plain; charset=ISO-8859-1
> 
> On Sun, May 5, 2013 at 6:12 PM, Mark Andrews <marka@isc.org> wrote:
> 
> > And RFC6686 is biased as it use the Alexa top X which is known to
> > use more load balancers which are often not RFC 103[45] compliant
> > name servers.  They don't do negative answers properly.  Fixing one
> > set of nameservers in the Alexa top X can drastically change the
> > numbers as many domains Alexa top X are served by identical sets
> > of name servers.
> >
> 
> 1) I think you're supporting RFC6686's conclusions there.
> 
> 2) There was more than just the Alexa survey in RFC6686.
> 
> -MSK

As far as I can see there is nothing in it with respect to failure
rates and spf sites using type SPF are approaching 8% which is a
significant increase (2x) since the RFC6686 surveys.

TXT: 22157 NOERROR, 2777 NXDOMAIN, 645 SERVFAIL, 9289 v=spf1
SPF: 22068 NOERROR, 2774 NXDOMAIN, 737 SERVFAIL,  730 v=spf1

                                   CASE1 CASE2 CASE3
8614	txt only    33.7%   92.2%  96.8% 96.6% 95.2%
55	spf only     0.2%    0.6%
675  	txt + spf    2.6%    7.2%
        have spf             7.8%   3.2%  3.4%  4.8%

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org