Re: [dnsext] Obsoleting SPF RRTYPE and deprecate all macros
Douglas Otis <doug.mtview@gmail.com> Thu, 25 April 2013 09:15 UTC
Return-Path: <doug.mtview@gmail.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FD6F21F8FF2; Thu, 25 Apr 2013 02:15:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.3
X-Spam-Level:
X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YvOD6XoY6MR5; Thu, 25 Apr 2013 02:15:30 -0700 (PDT)
Received: from mail-ia0-x22f.google.com (mail-ia0-x22f.google.com [IPv6:2607:f8b0:4001:c02::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 4F90821F86CA; Thu, 25 Apr 2013 02:15:28 -0700 (PDT)
Received: by mail-ia0-f175.google.com with SMTP id i38so2482328iae.20 for <multiple recipients>; Thu, 25 Apr 2013 02:15:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=G8nBCqSXbLg2MXGb+nMQpLbL10NM3S+3zLZPVKC4Rp8=; b=qqohewri91PxM0MR0Md0lUlzXZst+APl7sYhAwqw1a+peRcyiChoAXfjDwE4Tnhp/u g8nvp9BInEKBnmH0awTojX9CXGZkJA1Op0EVllmuZlXdjMIPnjqU8qqnUTVrccROAxLz KevYwfePXogtcgJWyCe42zDW69KrsjEUPQFH5+qQCtMR35q1zuhM/fFXGird546Tqbyk HzmAI56D740u/5tskRbBHcaqvmqtyTM0aN5VVt/BIdmIcnM6om6P5cweTb++46shDqTl WaZINmAoGS3ZoaLLaBb35JjDTcOo7VENfWjltM5Ms4LbX2PWybnXZUSb/UAlz3SJLzoO l4vw==
X-Received: by 10.50.128.16 with SMTP id nk16mr17840944igb.15.1366881327990; Thu, 25 Apr 2013 02:15:27 -0700 (PDT)
Received: from ?IPv6:2601:9:4d80:89:21c1:6200:53b7:b135? ([2601:9:4d80:89:21c1:6200:53b7:b135]) by mx.google.com with ESMTPSA id p9sm33284379iga.7.2013.04.25.02.15.25 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 25 Apr 2013 02:15:27 -0700 (PDT)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <20130425075147.GN23770@besserwisser.org>
Date: Thu, 25 Apr 2013 02:15:23 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <0991993C-F710-4617-9333-07996AB2C700@gmail.com>
References: <6.2.5.6.2.20130423150008.0c2c0558@elandnews.com> <264F7B0D-C3FC-4C7C-A4D8-AF180DEC331F@virtualized.org> <20130425075147.GN23770@besserwisser.org>
To: Måns Nilsson <mansaxel@besserwisser.org>
X-Mailer: Apple Mail (2.1503)
Cc: spfbis@ietf.org, dnsext@ietf.org, S Moonesamy <sm+ietf@elandsys.com>
Subject: Re: [dnsext] Obsoleting SPF RRTYPE and deprecate all macros
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 09:15:31 -0000
On Apr 25, 2013, at 12:51 AM, Måns Nilsson <mansaxel@besserwisser.org> wrote: > Subject: Re: [dnsext] Obsoleting SPF RRTYPE Date: Wed, Apr 24, 2013 at 05:12:07PM -0700 Quoting David Conrad (drc@virtualized.org): > >> I personally believe deprecating the SPF RR is the wrong way to go, but I'm guessing that discussion has already been had. > > Overloading the TXT record has always been a Really Bad Idea. I'm with > drc here. While the draft probably is formally proper, it advocates the > worng decision and I cannot support it. > > OTOH, mixing up routing layer with application layer and gilding some > IP addresses in favour of others is another Really Bad Idea; I'd rather > throw the entire business of supposedly Good and Bad addresses out the > window and start looking at the in-band data instead; ie. DKIM or similar. > > While removing SPF can be seen as in support of above, I'm pretty certain > that it in practice just will continue as usual, in TXT records. Better > then that we get to keep TXT records for free-form data. Dear Måns, Obsoleting SPF RR is not enough. All macros should be deprecated as well. tools.ietf.org/html/rfc3123 predates this poorly conceived scheme. SPF was poorly conceived starting out as 2KB TXT XML encoded resource records in DNS where many expect direct use of TXT resource records permits wildcard replication. This scheme also expects receivers to combine email-address local-parts with SPF domains to query other resource record sets. SPF may induce high query overheads flooding caches with up to 100 transactions derived from email-address local-parts that normally vary in spam campaigns to also support DDoS attacks leveraging receiver's attempt to verify service authorizations. (10 mechanisms x 10 (PTRs or As or AAAAs)) Permitting PTRs can also lead to connection resource exhaustion. The macro expansion can also leverage DNS name compression to further increase network amplifications against some unseen domain while spamming entirely different domains. The macro scheme was not intended to validate EHLOs or provide NDN authorizations and inappropriately exposes aspects of message handling. The review of SPF use also neglects whether major providers process these macros, many whom assure they do not. Verifying the ELHO is seldom supported, where authorization permits by bulk sender's to dodge accountability. Without genuine domain authentication SMTP is not safe. A safe and effective alternative is needed to safely provide a basis for assessing and reacting to abusive behavior. XMPP offers examples of StartTLS used in a highly scalable fashion that can leverage OCSP and self published DANE Certs needed to support IPv6. Regards, Douglas Otis
- Re: [dnsext] Obsoleting SPF RRTYPE Masataka Ohta
- [dnsext] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Mark Andrews
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Masataka Ohta
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Måns Nilsson
- Re: [dnsext] Obsoleting SPF RRTYPE and deprecate … Douglas Otis
- Re: [dnsext] Obsoleting SPF RRTYPE Andrew Sullivan
- Re: [dnsext] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] Obsoleting SPF RRTYPE Andrew Sullivan
- Re: [dnsext] Obsoleting SPF RRTYPE Dave Lawrence
- Re: [dnsext] Obsoleting SPF RRTYPE Paul Hoffman
- Re: [dnsext] Obsoleting SPF RRTYPE Andrew Sullivan
- Re: [dnsext] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Måns Nilsson
- Re: [dnsext] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Paul Hoffman
- Re: [dnsext] Obsoleting SPF RRTYPE Jim Reid
- Re: [dnsext] Obsoleting SPF RRTYPE Warren Kumari
- Re: [dnsext] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Dotzero
- Re: [dnsext] Obsoleting SPF RRTYPE Joe Abley
- Re: [dnsext] Obsoleting SPF RRTYPE Joe Abley
- Re: [dnsext] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] Obsoleting SPF RRTYPE Warren Kumari
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Pete Resnick
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Warren Kumari
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Warren Kumari
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] Obsoleting SPF RRTYPE Pete Resnick
- Re: [dnsext] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] Obsoleting SPF RRTYPE Pete Resnick
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Hector Santos
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Pete Resnick
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Noel David Torres Taño
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Mark Andrews
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Nicholas Weaver
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Nicholas Weaver
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Barry Leiba
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Mark Andrews
- Re: [dnsext] Obsoleting SPF RRTYPE Havard Eidnes
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE S Moonesamy
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Hector Santos
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Ted Lemon
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Dave Crocker
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Dave Crocker
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Murray S. Kucherawy
- Re: [dnsext] Obsoleting SPF RRTYPE Mark Andrews
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Noel David Torres Taño
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Dave Crocker
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Hector Santos
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Scott Kitterman
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Scott Kitterman
- Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE Hector Santos
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE John R Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] Obsoleting SPF RRTYPE John Levine
- Re: [dnsext] Obsoleting SPF RRTYPE Doug Barton
- Re: [dnsext] Obsoleting SPF RRTYPE Edward Lewis
- [dnsext] loads of TXT records for fun and profit Jim Reid
- Re: [dnsext] Obsoleting SPF RRTYPE David Conrad
- Re: [dnsext] Obsoleting SPF RRTYPE Patrik Fältström
- Re: [dnsext] Obsoleting SPF RRTYPE Phillip Hallam-Baker
- Re: [dnsext] loads of TXT records for fun and pro… Phillip Hallam-Baker
- Re: [dnsext] loads of TXT records for fun and pro… Nicholas Weaver
- Re: [dnsext] loads of TXT records for fun and pro… Mark Andrews
- Re: [dnsext] loads of TXT records for fun and pro… Phillip Hallam-Baker
- Re: [dnsext] loads of TXT records for fun and pro… Ted Lemon
- Re: [dnsext] loads of TXT records for fun and pro… Phillip Hallam-Baker
- Re: [dnsext] loads of TXT records for fun and pro… Joe Abley
- Re: [dnsext] loads of TXT records for fun and pro… David Conrad
- Re: [dnsext] loads of TXT records for fun and pro… Phillip Hallam-Baker
- [dnsext] SPF, a cautionary tale John Levine
- Re: [dnsext] loads of TXT records for fun and pro… Nicholas Weaver
- Re: [dnsext] loads of TXT records for fun and pro… David Conrad
- Re: [dnsext] loads of TXT records for fun and pro… David Conrad
- Re: [dnsext] loads of TXT records for fun and pro… Doug Barton
- Re: [dnsext] loads of TXT records for fun and pro… Murray S. Kucherawy
- Re: [dnsext] loads of TXT records for fun and pro… Doug Barton
- Re: [dnsext] loads of TXT records for fun and pro… Phil Pennock
- Re: [dnsext] loads of TXT records for fun and pro… Phil Pennock
- Re: [dnsext] loads of TXT records for fun and pro… John Levine
- Re: [dnsext] loads of TXT records for fun and pro… David Miller
- Re: [dnsext] loads of TXT records for fun and pro… John Levine
- Re: [dnsext] SPF, a cautionary tale bmanning
- Re: [dnsext] SPF, a cautionary tale John R Levine
- Re: [dnsext] SPF, a cautionary tale Douglas Otis
- Re: [dnsext] SPF, a cautionary tale bmanning
- Re: [dnsext] SPF, a cautionary tale Douglas Otis
- Re: [dnsext] SPF, a cautionary tale bmanning
- Re: [dnsext] SPF, a cautionary tale Mark Andrews
- Re: [dnsext] SPF, a cautionary tale Murray S. Kucherawy
- Re: [dnsext] SPF, a cautionary tale Murray S. Kucherawy
- Re: [dnsext] SPF, a cautionary tale Mark Andrews
- Re: [dnsext] SPF, a cautionary tale Murray S. Kucherawy
- Re: [dnsext] SPF, a cautionary tale Doug Barton
- Re: [dnsext] SPF, a cautionary tale bmanning
- Re: [dnsext] SPF, a cautionary tale Murray S. Kucherawy
- Re: [dnsext] SPF, a cautionary tale Mark Andrews
- Re: [dnsext] SPF, a cautionary tale Phillip Hallam-Baker
- Re: [dnsext] SPF, a cautionary tale Mark Andrews
- Re: [dnsext] loads of TXT records for fun and pro… Florian Weimer