[dnsext] Last call of draft-ietf-spfbis-4408bis-19
Patrik Fältström <paf@frobbit.se> Tue, 20 August 2013 18:59 UTC
Return-Path: <paf@frobbit.se>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9B7E21F91F2; Tue, 20 Aug 2013 11:59:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.075
X-Spam-Level:
X-Spam-Status: No, score=-2.075 tagged_above=-999 required=5 tests=[AWL=0.225, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7H1RijMU8LNx; Tue, 20 Aug 2013 11:59:34 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) by ietfa.amsl.com (Postfix) with ESMTP id 9D7A911E8274; Tue, 20 Aug 2013 11:58:16 -0700 (PDT)
Received: from [IPv6:2a02:80:3ffc::e0a8:d413:1cf1:c2f5] (unknown [IPv6:2a02:80:3ffc:0:e0a8:d413:1cf1:c2f5]) by mail.frobbit.se (Postfix) with ESMTPSA id A2EAA23F2B; Tue, 20 Aug 2013 20:58:10 +0200 (CEST)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Patrik Fältström <paf@frobbit.se>
In-Reply-To: <6.2.5.6.2.20130820110057.0bead1e8@resistor.net>
Date: Tue, 20 Aug 2013 20:58:10 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <6DEE47E1-885D-4F12-A766-D9BB2284BA09@frobbit.se>
References: <E3DE33F3-B0A5-494B-9202-499E16ECCFB1@virtualized.org> <20130819222037.GA55876@mx1.yitter.info> <93130B0B-5C37-45EE-8380-AF209CA54B8F@frobbit.se> <521385AA.9080401@qti.qualcomm.com> <933357EA-6472-4C77-AED3-E6411BC684B6@frobbit.se> <6.2.5.6.2.20130820110057.0bead1e8@resistor.net>
To: S Moonesamy <sm+ietf@elandsys.com>
X-Mailer: Apple Mail (2.1508)
Cc: Pete Resnick <presnick@qti.qualcomm.com>, dnsext@ietf.org, ietf@ietf.org
Subject: [dnsext] Last call of draft-ietf-spfbis-4408bis-19
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 18:59:35 -0000
As the bottle is opened, I hereby state my objection to Section 3.1 of draft-ietf-spfbis-4408bis-19 for the reasons explained below. I do agree (as stated below) that the section of RFC 4408 that specify how to use both SPF and TXT resource record types include an error as it does not lead to interoperability. As the intention with use of both TXT and SPF originally was to migrate from TXT to SPF I instead of what is outlined in the draft suggest that a proper migration strategy is laid out (look up mandatory to implement SPF and fall back to TXT). This instead of deprecation of the SPF record. In general I do believe, for example when looking at IPv6 and DNSSEC and similar technologies, that the lifetime of RFC 4408 is too short to deprecate any of the proposed records that are in use, specifically as RFC 4408 explicitly do allow use of both. Patrik On 20 aug 2013, at 20:36, S Moonesamy <sm+ietf@elandsys.com> wrote: > Hi Patrik, > > I am copying the message to ieft@ as there is an ongoing Last Call. > > At 08:28 20-08-2013, Patrik Fältström wrote: >> The consensus related to how to fix RFC 4408 will be very rough. That is clear. And I feel sorry for responsible AD and IESG to be forced to make a decision that such a large rough part of the rough consensus will not be happy with. Regardless of what the decision will be. >> >> >> An architectural correct solution is to change: >> >> OLD: >> >> An SPF-compliant domain name SHOULD have SPF records of both RR >> types. A compliant domain name MUST have a record of at least one >> type. If a domain has records of both types, they MUST have >> identical content. >> >> NEW: >> >> An SPF-compliant domain name SHOULD have SPF records of both RR >> types. A compliant domain name MUST have a record of at type SPF, >> code 99. Lookup MUST first be of type SPF and SHOULD if no response >> is received be of type TXT. >> >> >> Reasoning: The use of the TXT record for SPF is not sounds for a number of reasons: >> >> 1. The TXT record already can have multiple fields, and it is very unfortunate that the SPF use of TXT records do not use that feature. Instead the SPF specification do say that the first field should be used, and if there are more than one they should be concatenated. After one have one and only one field, that field should be parsed and divided in fields. >> >> 2. It is even (compared to some other TXT related documents) pointed out in RFC 4408 that collisions as described in RFC 5507 might happen. >> >> 3. It is also pointed out that there might be size issues with the records, and experience from use of NAPTR show that selecting a preferred mechanism that potentially blows the size of the RRSet is not very wise. This is btw why the URI RR Type do not use a prefixed length "text" field in the RDATA but do set the string the URI is to the full length of the RDATA, i.e. without any 255 byte limitation. >> >> 4. DNS is by design (as pointed out in RFC 5507) created with a tuple consisting of owner, type and class for selection by the client what record set to be retrieved. This RRSet architecture is something that comes back not only in the query/response architecture of the DNS protocol, but also in the DNSSEC architecture where RRSets are the units that are signed. Not explicitly ensuring an RRSet is used for SPF (and nothing more) is an architectural choice I strongly am against. >> >> >> Because of these reasons, I do believe the choice is wrong to say that TXT MUST be implemented and instead I am in favor of having type SPF be mandatory for interoperability with fallback to lookup of TXT. > > From Section 3.1 of draft-ietf-spfbis-4408bis-19: > > "SPF records MUST be published as a DNS TXT (type 16) Resource Record > (RR) [RFC1035] only. The character content of the record is encoded > as [US-ASCII]. Use of alternative DNS RR types was supported in > SPF's experimental phase, but has been discontinued." > > There is a message from Pete Resnick about RFC 2119 usage ( http://www.ietf.org/mail-archive/web/spfbis/current/msg03642.html ). The interpretation of "SHOULD" and MUST" in that part of RFC 4408 was an issue which the SPFBIS WG discussed about. > > It would be better to have the discussion on the ietf@ mailing list as that's the venue which the IESG identified for last Call comments. > > Regards, > S. Moonesamy
- Re: [dnsext] Deprecating SPF John Levine
- [dnsext] Deprecating SPF David Conrad
- Re: [dnsext] Deprecating SPF Andrew Sullivan
- Re: [dnsext] full standards, Deprecating SPF Marco Davids (SIDN)
- Re: [dnsext] Deprecating SPF Patrik Fältström
- Re: [dnsext] Deprecating SPF Alex Bligh
- Re: [dnsext] Deprecating SPF Dave Lawrence
- Re: [dnsext] Deprecating SPF bmanning
- Re: [dnsext] Deprecating SPF Toerless Eckert
- Re: [dnsext] Deprecating SPF bmanning
- Re: [dnsext] Deprecating SPF Jason Fesler
- Re: [dnsext] Deprecating SPF Andrew Sullivan
- Re: [dnsext] Deprecating SPF Jaap Akkerhuis
- Re: [dnsext] Deprecating SPF Joe Abley
- Re: [dnsext] Deprecating SPF Jay Ashworth
- Re: [dnsext] Deprecating SPF Mark Andrews
- Re: [dnsext] Deprecating SPF Pete Resnick
- Re: [dnsext] Deprecating SPF Phillip Hallam-Baker
- Re: [dnsext] Deprecating SPF Carsten Strotmann
- Re: [dnsext] Deprecating SPF Patrik Fältström
- Re: [dnsext] Deprecating SPF Patrik Fältström
- Re: [dnsext] Deprecating SPF Andrew Sullivan
- Re: [dnsext] new RRRTYPEs, was Deprecating SPF John Levine
- Re: [dnsext] Deprecating SPF Toerless Eckert
- Re: [dnsext] Deprecating SPF Joe Abley
- Re: [dnsext] new RRRTYPEs, was Deprecating SPF Toerless Eckert
- Re: [dnsext] Deprecating SPF Toerless Eckert
- Re: [dnsext] new RRRTYPEs, was Deprecating SPF John R Levine
- Re: [dnsext] Deprecating SPF Patrik Fältström
- Re: [dnsext] Deprecating SPF Michael Sinatra
- Re: [dnsext] Deprecating SPF Ted Lemon
- Re: [dnsext] Deprecating SPF Mark Elkins
- Re: [dnsext] Deprecating SPF Andrew Sullivan
- Re: [dnsext] Deprecating SPF Douglas Otis
- Re: [dnsext] Deprecating SPF S Moonesamy
- Re: [dnsext] Deprecating SPF Patrik Fältström
- [dnsext] Last call of draft-ietf-spfbis-4408bis-19 Patrik Fältström
- Re: [dnsext] Deprecating SPF Phillip Hallam-Baker
- Re: [dnsext] Deprecating SPF Patrik Fältström
- Re: [dnsext] Deprecating SPF S Moonesamy
- Re: [dnsext] Deprecating SPF Patrik Fältström
- Re: [dnsext] Deprecating SPF Jay Daley
- Re: [dnsext] Deprecating SPF Michael Sinatra
- Re: [dnsext] Deprecating SPF Phillip Hallam-Baker
- Re: [dnsext] Deprecating SPF David Conrad
- Re: [dnsext] Deprecating SPF Andrew Sullivan
- Re: [dnsext] Deprecating SPF Jay Daley
- Re: [dnsext] Deprecating SPF Ted Lemon
- Re: [dnsext] new RRRTYPEs, was Deprecating SPF Jay Daley
- Re: [dnsext] Deprecating SPF John Levine
- Re: [dnsext] Deprecating SPF Hector Santos
- Re: [dnsext] Deprecating SPF S Moonesamy
- Re: [dnsext] Deprecating SPF S Moonesamy
- Re: [dnsext] Deprecating SPF David Conrad
- Re: [dnsext] Deprecating SPF David Conrad
- [dnsext] getting rid of smtp (was Re: Deprecating… Dave Crocker
- Re: [dnsext] Deprecating SPF Mark Andrews
- Re: [dnsext] Deprecating SPF Jay Daley
- Re: [dnsext] Deprecating SPF David Conrad
- Re: [dnsext] Deprecating SPF David Conrad
- Re: [dnsext] Deprecating SPF Andrew Sullivan
- Re: [dnsext] SPF isn't going to change, was Depre… David Conrad
- Re: [dnsext] Deprecating SPF joel jaeggli
- Re: [dnsext] Deprecating SPF Patrik Fältström
- Re: [dnsext] Deprecating SPF Jelte Jansen
- Re: [dnsext] Deprecating SPF Phillip Hallam-Baker
- Re: [dnsext] Deprecating SPF Hadriel Kaplan
- Re: [dnsext] Deprecating SPF Mark Andrews
- Re: [dnsext] Deprecating SPF Hadriel Kaplan
- Re: [dnsext] Deprecating SPF Andras Salamon
- Re: [dnsext] Deprecating SPF Mark Andrews
- Re: [dnsext] Deprecating SPF Kevin Darcy
- Re: [dnsext] Deprecating SPF Bruce Campbell
- Re: [dnsext] SPF isn't going to change, was Depre… John Levine
- Re: [dnsext] The state of DNS support, was Deprec… John Levine
- Re: [dnsext] SPF isn't going to change, was Depre… Alex Bligh
- Re: [dnsext] The state of DNS support, was Deprec… David Conrad
- Re: [dnsext] The state of DNS support, was Deprec… John R Levine
- Re: [dnsext] SPF isn't going to change, was Depre… Ted Lemon
- Re: [dnsext] SPF isn't going to change, was Depre… John R Levine
- Re: [dnsext] The state of DNS support, was Deprec… David Conrad
- Re: [dnsext] Deprecating SPF John Levine
- Re: [dnsext] Microsoft software, was Deprecating … John Levine
- Re: [dnsext] SPF isn't going to change, was Depre… S Moonesamy
- Re: [dnsext] Deprecating SPF Mark Andrews
- Re: [dnsext] Deprecating SPF Andras Salamon
- Re: [dnsext] Deprecating SPF Phillip Hallam-Baker
- Re: [dnsext] Deprecating SPF Mark Andrews
- Re: [dnsext] full standards, Deprecating SPF John Levine
- Re: [dnsext] SPF isn't going to change, was Depre… bmanning
- Re: [dnsext] SPF isn't going to change, was Depre… S Moonesamy
- Re: [dnsext] SPF isn't going to change, was Depre… Alex Bligh
- Re: [dnsext] SPF isn't going to change, was Depre… S Moonesamy
- Re: [dnsext] SPF isn't going to change, was Depre… Måns Nilsson
- Re: [dnsext] SPF isn't going to change, was Depre… Jelte Jansen
- Re: [dnsext] SPF isn't going to change, was Depre… John Levine
- Re: [dnsext] full standards, Deprecating SPF Andras Salamon
- Re: [dnsext] full standards, Deprecating SPF Hector Santos
- Re: [dnsext] SPF isn't going to change, was Depre… bmanning
- Re: [dnsext] SPF isn't going to change, was Depre… Chris Thompson
- Re: [dnsext] Advancing 3597 Andreas Gustafsson
- Re: [dnsext] SPF isn't going to change, was Depre… Joe Abley
- Re: [dnsext] SPF isn't going to change, was Depre… Mark Andrews
- Re: [dnsext] SPF isn't going to change, was Depre… Andrew Sullivan
- Re: [dnsext] SPF isn't going to change, was Depre… Mark Andrews
- Re: [dnsext] SPF isn't going to change, was Depre… Mark Andrews
- Re: [dnsext] SPF isn't going to change, was Depre… Andrew Sullivan
- Re: [dnsext] SPF isn't going to change, was Depre… Mark Andrews
- Re: [dnsext] SPF isn't going to change, was Depre… Joe Abley
- Re: [dnsext] SPF isn't going to change, was Depre… Andrew Sullivan
- Re: [dnsext] SPF isn't going to change, was Depre… David Conrad
- Re: [dnsext] SPF isn't going to change, was Depre… Andrew Sullivan
- Re: [dnsext] SPF isn't going to change, was Depre… Mark Andrews
- Re: [dnsext] SPF isn't going to change, was Depre… Andrew Sullivan
- Re: [dnsext] SPF isn't going to change, was Depre… Mark Andrews
- Re: [dnsext] SPF isn't going to change, was Depre… bmanning
- Re: [dnsext] Deprecating SPF Carsten Strotmann
- Re: [dnsext] The state of DNS support, was Deprec… Carsten Strotmann
- Re: [dnsext] The state of DNS support, was Deprec… Hector Santos
- Re: [dnsext] The state of DNS support, was Deprec… John R Levine
- Re: [dnsext] The state of DNS support, was Deprec… Hector Santos
- Re: [dnsext] SPF isn't going to change, was Depre… Andrew Sullivan
- Re: [dnsext] SPF isn't going to change, was Depre… Hadriel Kaplan
- Re: [dnsext] SPF isn't going to change, was Depre… Hadriel Kaplan
- Re: [dnsext] The state of DNS support, was Deprec… John Levine
- Re: [dnsext] SPF isn't going to change, was Depre… John Levine
- Re: [dnsext] The state of DNS support, was Deprec… Mark Andrews
- Re: [dnsext] The state of DNS support, was Deprec… SM
- Re: [dnsext] The state of DNS support, was Deprec… Joe Abley
- Re: [dnsext] The state of DNS support, was Deprec… John R Levine
- Re: [dnsext] The state of DNS support, was Deprec… Eric Brunner-Williams
- Re: [dnsext] The state of DNS support, was Deprec… Dave Crocker
- Re: [dnsext] The state of DNS support, was Deprec… Måns Nilsson
- Re: [dnsext] The state of DNS support, was Deprec… Måns Nilsson
- Re: [dnsext] The state of DNS support, was Deprec… Jay Daley
- Re: [dnsext] The state of DNS support, was Deprec… Dave Crocker
- Re: [dnsext] The state of DNS support, was Deprec… John Levine
- Re: [dnsext] The state of DNS support, was Deprec… Jay Daley
- Re: [dnsext] The state of DNS support, was Deprec… Dave Crocker
- Re: [dnsext] The state of DNS support, was Deprec… Andras Salamon
- Re: [dnsext] The state of DNS support, was Deprec… Jay Daley
- Re: [dnsext] The state of DNS support, was Deprec… Hadriel Kaplan
- Re: [dnsext] The state of DNS support, was Deprec… Dave Crocker
- Re: [dnsext] The state of DNS support, was Deprec… David Conrad
- Re: [dnsext] The state of DNS support, was Deprec… Andrew Sullivan
- Re: [dnsext] The state of DNS support, was Deprec… David Conrad
- Re: [dnsext] The state of DNS support, was Deprec… Andrew Sullivan
- Re: [dnsext] The state of DNS support, was Deprec… Andrew Sullivan
- Re: [dnsext] The state of DNS support, was Deprec… Dave Crocker
- Re: [dnsext] The state of DNS support, was Deprec… David Conrad
- Re: [dnsext] The state of DNS support, was Deprec… Jay Daley
- Re: [dnsext] The state of DNS support, was Deprec… Dave Crocker
- Re: [dnsext] The state of DNS support, was Deprec… John Levine
- Re: [dnsext] The state of DNS support, was Deprec… Andrew Sullivan
- Re: [dnsext] The state of DNS support, was Deprec… Dickson, Brian
- Re: [dnsext] The state of DNS support, was Deprec… Dave Crocker
- Re: [dnsext] The state of DNS support, was Deprec… Måns Nilsson
- Re: [dnsext] The state of DNS support, was Deprec… Ted Lemon
- Re: [dnsext] The state of DNS support, was Deprec… bmanning
- Re: [dnsext] The state of DNS support, was Deprec… Dave Crocker
- Re: [dnsext] SPF isn't going to change, was Depre… Chip Marshall
- Re: [dnsext] SPF isn't going to change, was Depre… S Moonesamy
- Re: [dnsext] SPF isn't going to change, was Depre… John Levine
- Re: [dnsext] The state of DNS support, was Deprec… Mark Andrews
- Re: [dnsext] The state of DNS support, was Deprec… Hadriel Kaplan
- Re: [dnsext] The state of DNS support, was Deprec… Nicholas Weaver
- Re: [dnsext] The state of DNS support, was Deprec… Måns Nilsson
- Re: [dnsext] The state of DNS support, was Deprec… Mark Andrews
- Re: [dnsext] The state of DNS support, was Deprec… David Conrad
- Re: [dnsext] The state of DNS support, was Deprec… Hadriel Kaplan
- Re: [dnsext] The state of DNS support, was Deprec… John Levine
- Re: [dnsext] The state of DNS support, was Deprec… Jay Daley
- Re: [dnsext] The state of DNS support, was Deprec… Douglas Otis
- Re: [dnsext] The state of DNS support, was Deprec… Jiankang Yao
- Re: [dnsext] The state of DNS support, was Deprec… Jay Daley
- Re: [dnsext] The state of DNS support, was Deprec… John Levine
- Re: [dnsext] The state of DNS support, was Deprec… Hadriel Kaplan
- Re: [dnsext] The state of DNS support, was Deprec… Jay Daley
- Re: [dnsext] The state of DNS support, was Deprec… Jay Daley
- Re: [dnsext] The state of DNS support, was Deprec… Andrew Sullivan
- Re: [dnsext] The state of DNS support, was Deprec… Ted Lemon
- Re: [dnsext] The state of DNS support, was Deprec… Hadriel Kaplan
- Re: [dnsext] Deprecating SPF Carsten Strotmann
- Re: [dnsext] The state of DNS support, was Deprec… Phillip Hallam-Baker
- Re: [dnsext] The state of DNS support, was Deprec… John Levine
- Re: [dnsext] The state of DNS support, was Deprec… Noel Torres
- Re: [dnsext] The state of DNS support, was Deprec… Mark Andrews
- Re: [dnsext] The state of DNS support, was Deprec… John Levine