Re: [dnsext] SPF, a cautionary tale
bmanning@vacation.karoshi.com Sun, 05 May 2013 01:22 UTC
Return-Path: <bmanning@karoshi.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A741C21F9699 for <dnsext@ietfa.amsl.com>; Sat, 4 May 2013 18:22:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3jT5eubiEln for <dnsext@ietfa.amsl.com>; Sat, 4 May 2013 18:22:16 -0700 (PDT)
Received: from vacation.karoshi.com (vacation.karoshi.com [198.32.6.68]) by ietfa.amsl.com (Postfix) with ESMTP id 8BD5C21F905C for <dnsext@ietf.org>; Sat, 4 May 2013 18:22:16 -0700 (PDT)
Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id r451MGFo030543; Sun, 5 May 2013 01:22:16 GMT
Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id r451MGAt030542; Sun, 5 May 2013 01:22:16 GMT
Date: Sun, 05 May 2013 01:22:16 +0000
From: bmanning@vacation.karoshi.com
To: John R Levine <johnl@taugh.com>
Message-ID: <20130505012216.GA29079@vacation.karoshi.com.>
References: <8D23D4052ABE7A4490E77B1A012B63077516EA82@mbx-01.win.nominum.com> <20130503171843.39672.qmail@joyce.lan> <20130504133312.GA27772@vacation.karoshi.com.> <alpine.BSF.2.00.1305041103360.8602@joyce.lan>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.BSF.2.00.1305041103360.8602@joyce.lan>
User-Agent: Mutt/1.4.1i
Cc: bmanning@vacation.karoshi.com, dnsext@ietf.org, Ted.Lemon@nominum.com
Subject: Re: [dnsext] SPF, a cautionary tale
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 May 2013 01:22:21 -0000
On Sat, May 04, 2013 at 11:16:38AM -0400, John R Levine wrote: > >>... and interpreting SPF records requires more DNS queries than any > >>other DNS application I know. > > > So what you are saying is that SPF is a carefully crafted DNS > > DDoS attack because it was too hard to do the work inside your > > own protocol? > > Yup, just like CNAME. > excuse me, how do you reconcile your first statement; "more DNS queries than -any- other DNS application I know" with "just like CNAME" CNAME semantics and behaviour are well known and studied. You get -ONE- redirect. Other DNS tricks have been DNS-abusive and have been abandon (BITSTRING) or redesigned (KEY/SIG). > In the decade that SPF has been around, the putative DDoS has never been > observed in the wild, ever, despite Doug Otis warning us about it every 15 > minutes since 4408 was a draft, and a few experiments I did with stunt DNS > servers that returned giant trees of SPF records very slowly. It turns > out everyone does loop breaking, just like for CNAME. It's a sloppy > design from a decade ago that succeeded because it made an end run around > the DNS provisioning problems of "better" alternatives. care to publish the experiment and its results? I'd like to replicate it. > > What ever happened to "Be Conservative in What you Send..." > > It lost out to Stuff That Actually Exists Works Better than Stuff That > Doesn't. actually, not so much - there is certainly a whole lot of parasitic behaviour in this decades work - there appears to be evidence that the SPF RR type exists and works. > A decade ago, SPF was far from my favorite authentication design, but now > it exists, it's more widely used than most standards track protocols, and > it would be silly to pretend otherwise. Hence the spfbis charter to > standardize existing practice. Now that I have a hard time believing... "more widely used that most standards track protocols" is a mightly big brush. Perhaps you want to focus on SMTP authentication - then I would have an easier time believing you. > R's, > John
- Re: [dnsext] Obsoleting SPF RRTYPE Masataka Ohta
- [dnsext] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Mark Andrews
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Masataka Ohta
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Måns Nilsson
- Re: [dnsext] Obsoleting SPF RRTYPE and deprecate … Douglas Otis
- Re: [dnsext] Obsoleting SPF RRTYPE Andrew Sullivan
- Re: [dnsext] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] Obsoleting SPF RRTYPE Andrew Sullivan
- Re: [dnsext] Obsoleting SPF RRTYPE Dave Lawrence
- Re: [dnsext] Obsoleting SPF RRTYPE Paul Hoffman
- Re: [dnsext] Obsoleting SPF RRTYPE Andrew Sullivan
- Re: [dnsext] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Måns Nilsson
- Re: [dnsext] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Paul Hoffman
- Re: [dnsext] Obsoleting SPF RRTYPE Jim Reid
- Re: [dnsext] Obsoleting SPF RRTYPE Warren Kumari
- Re: [dnsext] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Dotzero
- Re: [dnsext] Obsoleting SPF RRTYPE Joe Abley
- Re: [dnsext] Obsoleting SPF RRTYPE Joe Abley
- Re: [dnsext] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] Obsoleting SPF RRTYPE Warren Kumari
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Pete Resnick
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Warren Kumari
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Warren Kumari
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] Obsoleting SPF RRTYPE Pete Resnick
- Re: [dnsext] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] Obsoleting SPF RRTYPE Pete Resnick
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Hector Santos
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Pete Resnick
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Noel David Torres Taño
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Mark Andrews
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Nicholas Weaver
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Nicholas Weaver
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Barry Leiba
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Mark Andrews
- Re: [dnsext] Obsoleting SPF RRTYPE Havard Eidnes
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Hector Santos
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Dave Crocker
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Dave Crocker
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] Obsoleting SPF RRTYPE Mark Andrews
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Noel David Torres Taño
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Dave Crocker
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Hector Santos
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Scott Kitterman
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Scott Kitterman
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Hector Santos
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] Obsoleting SPF RRTYPE Edward Lewis
- [dnsext] loads of TXT records for fun and profit Jim Reid
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] Obsoleting SPF RRTYPE Phillip Hallam-Baker
- Re: [dnsext] loads of TXT records for fun and pro… Phillip Hallam-Baker
- Re: [dnsext] loads of TXT records for fun and pro… Nicholas Weaver
- Re: [dnsext] loads of TXT records for fun and pro… Mark Andrews
- Re: [dnsext] loads of TXT records for fun and pro… Phillip Hallam-Baker
- Re: [dnsext] loads of TXT records for fun and pro… Ted Lemon
- Re: [dnsext] loads of TXT records for fun and pro… Phillip Hallam-Baker
- Re: [dnsext] loads of TXT records for fun and pro… Joe Abley
- Re: [dnsext] loads of TXT records for fun and pro… David Conrad
- Re: [dnsext] loads of TXT records for fun and pro… Phillip Hallam-Baker
- [dnsext] SPF, a cautionary tale John Levine
- Re: [dnsext] loads of TXT records for fun and pro… Nicholas Weaver
- Re: [dnsext] loads of TXT records for fun and pro… David Conrad
- Re: [dnsext] loads of TXT records for fun and pro… David Conrad
- Re: [dnsext] loads of TXT records for fun and pro… Doug Barton
- Re: [dnsext] loads of TXT records for fun and pro… Murray S. Kucherawy
- Re: [dnsext] loads of TXT records for fun and pro… Doug Barton
- Re: [dnsext] loads of TXT records for fun and pro… Phil Pennock
- Re: [dnsext] loads of TXT records for fun and pro… Phil Pennock
- Re: [dnsext] loads of TXT records for fun and pro… John Levine
- Re: [dnsext] loads of TXT records for fun and pro… David Miller
- Re: [dnsext] loads of TXT records for fun and pro… John Levine
- Re: [dnsext] SPF, a cautionary tale bmanning
- Re: [dnsext] SPF, a cautionary tale John R Levine
- Re: [dnsext] SPF, a cautionary tale Douglas Otis
- Re: [dnsext] SPF, a cautionary tale bmanning
- Re: [dnsext] SPF, a cautionary tale Douglas Otis
- Re: [dnsext] SPF, a cautionary tale bmanning
- Re: [dnsext] SPF, a cautionary tale Mark Andrews
- Re: [dnsext] SPF, a cautionary tale Murray S. Kucherawy
- Re: [dnsext] SPF, a cautionary tale Murray S. Kucherawy
- Re: [dnsext] SPF, a cautionary tale Mark Andrews
- Re: [dnsext] SPF, a cautionary tale Murray S. Kucherawy
- Re: [dnsext] SPF, a cautionary tale Doug Barton
- Re: [dnsext] SPF, a cautionary tale bmanning
- Re: [dnsext] SPF, a cautionary tale Murray S. Kucherawy
- Re: [dnsext] SPF, a cautionary tale Mark Andrews
- Re: [dnsext] SPF, a cautionary tale Phillip Hallam-Baker
- Re: [dnsext] SPF, a cautionary tale Mark Andrews
- Re: [dnsext] loads of TXT records for fun and pro… Florian Weimer