IETF Logo Mail Archive

[dnsext] Last call of draft-ietf-spfbis-4408bis-19

Patrik Fältström <paf@frobbit.se> Tue, 20 August 2013 18:59 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9B7E21F91F2; Tue, 20 Aug 2013 11:59:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.075
X-Spam-Level:
X-Spam-Status: No, score=-2.075 tagged_above=-999 required=5 tests=[AWL=0.225, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7H1RijMU8LNx; Tue, 20 Aug 2013 11:59:34 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) by ietfa.amsl.com (Postfix) with ESMTP id 9D7A911E8274; Tue, 20 Aug 2013 11:58:16 -0700 (PDT)
Received: from [IPv6:2a02:80:3ffc::e0a8:d413:1cf1:c2f5] (unknown [IPv6:2a02:80:3ffc:0:e0a8:d413:1cf1:c2f5]) by mail.frobbit.se (Postfix) with ESMTPSA id A2EAA23F2B; Tue, 20 Aug 2013 20:58:10 +0200 (CEST)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Patrik Fältström <paf@frobbit.se>
In-Reply-To: <6.2.5.6.2.20130820110057.0bead1e8@resistor.net>
Date: Tue, 20 Aug 2013 20:58:10 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <6DEE47E1-885D-4F12-A766-D9BB2284BA09@frobbit.se>
References: <E3DE33F3-B0A5-494B-9202-499E16ECCFB1@virtualized.org> <20130819222037.GA55876@mx1.yitter.info> <93130B0B-5C37-45EE-8380-AF209CA54B8F@frobbit.se> <521385AA.9080401@qti.qualcomm.com> <933357EA-6472-4C77-AED3-E6411BC684B6@frobbit.se> <6.2.5.6.2.20130820110057.0bead1e8@resistor.net>
To: S Moonesamy <sm+ietf@elandsys.com>
X-Mailer: Apple Mail (2.1508)
Cc: Pete Resnick <presnick@qti.qualcomm.com>, dnsext@ietf.org, ietf@ietf.org
Subject: [dnsext] Last call of draft-ietf-spfbis-4408bis-19
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 18:59:35 -0000

As the bottle is opened, I hereby state my objection to Section 3.1 of draft-ietf-spfbis-4408bis-19 for the reasons explained below. I do agree (as stated below) that the section of RFC 4408 that specify how to use both SPF and TXT resource record types include an error as it does not lead to interoperability.

As the intention with use of both TXT and SPF originally was to migrate from TXT to SPF I instead of what is outlined in the draft suggest that a proper migration strategy is laid out (look up mandatory to implement SPF and fall back to TXT). This instead of deprecation of the SPF record.

In general I do believe, for example when looking at IPv6 and DNSSEC and similar technologies, that the lifetime of RFC 4408 is too short to deprecate any of the proposed records that are in use, specifically as RFC 4408 explicitly do allow use of both.

   Patrik

On 20 aug 2013, at 20:36, S Moonesamy <sm+ietf@elandsys.com> wrote:

> Hi Patrik,
> 
> I am copying the message to ieft@ as there is an ongoing Last Call.
> 
> At 08:28 20-08-2013, Patrik Fältström wrote:
>> The consensus related to how to fix RFC 4408 will be very rough. That is clear. And I feel sorry for responsible AD and IESG to be forced to make a decision that such a large rough part of the rough consensus will not be happy with. Regardless of what the decision will be.
>> 
>> 
>> An architectural correct solution is to change:
>> 
>> OLD:
>> 
>>   An SPF-compliant domain name SHOULD have SPF records of both RR
>>   types.  A compliant domain name MUST have a record of at least one
>>   type.  If a domain has records of both types, they MUST have
>>   identical content.
>> 
>> NEW:
>> 
>>   An SPF-compliant domain name SHOULD have SPF records of both RR
>>   types.  A compliant domain name MUST have a record of at type SPF,
>>   code 99.  Lookup MUST first be of type SPF and SHOULD if no response
>>   is received be of type TXT.
>> 
>> 
>> Reasoning: The use of the TXT record for SPF is not sounds for a number of reasons:
>> 
>> 1. The TXT record already can have multiple fields, and it is very unfortunate that the SPF use of TXT records do not use that feature. Instead the SPF specification do say that the first field should be used, and if there are more than one they should be concatenated. After one have one and only one field, that field should be parsed and divided in fields.
>> 
>> 2. It is even (compared to some other TXT related documents) pointed out in RFC 4408 that collisions as described in RFC 5507 might happen.
>> 
>> 3. It is also pointed out that there might be size issues with the records, and experience from use of NAPTR show that selecting a preferred mechanism that potentially blows the size of the RRSet is not very wise. This is btw why the URI RR Type do not use a prefixed length "text" field in the RDATA but do set the string the URI is to the full length of the RDATA, i.e. without any 255 byte limitation.
>> 
>> 4. DNS is by design (as pointed out in RFC 5507) created with a tuple consisting of owner, type and class for selection by the client what record set to be retrieved. This RRSet architecture is something that comes back not only in the query/response architecture of the DNS protocol, but also in the DNSSEC architecture where RRSets are the units that are signed. Not explicitly ensuring an RRSet is used for SPF (and nothing more) is an architectural choice I strongly am against.
>> 
>> 
>> Because of these reasons, I do believe the choice is wrong to say that TXT MUST be implemented and instead I am in favor of having type SPF be mandatory for interoperability with fallback to lookup of TXT.
> 
> From Section 3.1 of draft-ietf-spfbis-4408bis-19:
> 
>  "SPF records MUST be published as a DNS TXT (type 16) Resource Record
>   (RR) [RFC1035] only.  The character content of the record is encoded
>   as [US-ASCII].  Use of alternative DNS RR types was supported in
>   SPF's experimental phase, but has been discontinued."
> 
> There is a message from Pete Resnick about RFC 2119 usage ( http://www.ietf.org/mail-archive/web/spfbis/current/msg03642.html ).  The interpretation of "SHOULD" and MUST" in that part of RFC 4408 was an issue which the SPFBIS WG discussed about.
> 
> It would be better to have the discussion on the ietf@ mailing list as that's the venue which the IESG identified for last Call comments.
> 
> Regards,
> S. Moonesamy

v2.23.0 | Report a Bug | By Email