IETF Logo Mail Archive

Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE

Nicholas Weaver <nweaver@icsi.berkeley.edu> Fri, 26 April 2013 15:16 UTC

Return-Path: <nweaver@icsi.berkeley.edu>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA14F21F99A4; Fri, 26 Apr 2013 08:16:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KDXdZR0Wt-o8; Fri, 26 Apr 2013 08:16:56 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id 214AF21F998C; Fri, 26 Apr 2013 08:16:56 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 0B5F52C400C; Fri, 26 Apr 2013 08:16:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 3HBYOt3KLgTP; Fri, 26 Apr 2013 08:16:55 -0700 (PDT)
Received: from gala.icir.org (gala [192.150.187.49]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id A38242C400B; Fri, 26 Apr 2013 08:16:55 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <8D23D4052ABE7A4490E77B1A012B630775160234@mbx-01.win.nominum.com>
Date: Fri, 26 Apr 2013 08:16:55 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <5E14F91D-5E46-4F21-AAC4-93E9C66528BC@icsi.berkeley.edu>
References: <20130425013317.36729.qmail@joyce.lan> <80ADB3EE-17FD-4628-B818-801CB71BCBFE@virtualized.org> <BB8C643A-FC46-4B2F-B677-F1B7CAB0E79F@frobbit.se> <alpine.BSF.2.00.1304251030380.65043@joyce.lan> <14A728AE-83DC-4C1F-A88A-6F988D37F2C7@frobbit.se> <20130425154235.GP23770@besserwisser.org> <5179691B.50602@qti.qualcomm.com> <5179980F.9090606@dougbarton.us> <5179B10E.705@qti.qualcomm.com> <5179BC32.8050205@dougbarton.us> <6.2.5.6.2.20130425163243.0bedb6d0@resistor.net> <8D23D4052ABE7A4490E77B1A012B63077515FDEB@mbx-01.win.nominum.com> <CAL0qLwbK23T3MNXQ1e1gxtOda11zy0QMLrekVxxs5og3WZNxLQ@mail.gmail.com> <8D23D4052ABE7A4490E77B1A012B630775160234@mbx-01.win.nominum.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
X-Mailer: Apple Mail (2.1503)
Cc: Pete Resnick <presnick@qti.qualcomm.com>, S Moonesamy <sm+ietf@elandsys.com>, "dnsext@ietf.org" <dnsext@ietf.org>, "spfbis@ietf.org" <spfbis@ietf.org>
Subject: Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2013 15:16:57 -0000

On Apr 26, 2013, at 8:13 AM, Ted Lemon <Ted.Lemon@nominum.com> wrote:
>> On the other side, here are the arguments that I understand to have been made:
>> 
>> 1. TXT records are not specific to SPF, thus we can't assume that any given TXT record is an SPF record.
>> Rejoinder: doesn't seem to be an issue in practice—no other TXT records are needed on the names to which SPF TXT records are typically attached.
>> 
>> Moreover, parsing TXT records is not hard, nor is answering the question "Does this one start with the string 'v=spf1'?".
> 
> Sure, and a base-64 encoded string will never have an equals sign in that position, so we don't have to worry too much about a random collision.

Yeah, we don't.  

IF the string is random, thats a 1 in 2^36 chance.  Yawn.

And if the string is "malicious" and deliberately constructed to be a bad record starting with v=spf1, it only screws up the domain owner's SPF record, so who gives a flying fig?  The domain owner can correct it, be done with it, and move on.

>> 2. Because TXT records aren't specific to SPF, a query for TXT records may return an unexpectedly large result set, requiring fallback to TCP.
>> Rejoinder: doesn't seem to be an issue in practice.
>> 
>> That's not correct; there are still packet filters out there configured by default to disallow TCP over port 53.  We discovered this during the RFC6686 surveys.
> 
> These two points taken together seem like a pretty strong argument in favor of _not_ deprecating the SPF record; in this case, only the SPF record would have made it back to the MTA.

If you want DNSSEC, you got to fix THAT problem anyway.

v2.23.0 | Report a Bug | By Email