Re: [dnsext] Obsoleting SPF RRTYPE and deprecate all macros

Douglas Otis <doug.mtview@gmail.com> Thu, 25 April 2013 09:15 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FD6F21F8FF2; Thu, 25 Apr 2013 02:15:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.3
X-Spam-Level:
X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YvOD6XoY6MR5; Thu, 25 Apr 2013 02:15:30 -0700 (PDT)
Received: from mail-ia0-x22f.google.com (mail-ia0-x22f.google.com [IPv6:2607:f8b0:4001:c02::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 4F90821F86CA; Thu, 25 Apr 2013 02:15:28 -0700 (PDT)
Received: by mail-ia0-f175.google.com with SMTP id i38so2482328iae.20 for <multiple recipients>; Thu, 25 Apr 2013 02:15:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=G8nBCqSXbLg2MXGb+nMQpLbL10NM3S+3zLZPVKC4Rp8=; b=qqohewri91PxM0MR0Md0lUlzXZst+APl7sYhAwqw1a+peRcyiChoAXfjDwE4Tnhp/u g8nvp9BInEKBnmH0awTojX9CXGZkJA1Op0EVllmuZlXdjMIPnjqU8qqnUTVrccROAxLz KevYwfePXogtcgJWyCe42zDW69KrsjEUPQFH5+qQCtMR35q1zuhM/fFXGird546Tqbyk HzmAI56D740u/5tskRbBHcaqvmqtyTM0aN5VVt/BIdmIcnM6om6P5cweTb++46shDqTl WaZINmAoGS3ZoaLLaBb35JjDTcOo7VENfWjltM5Ms4LbX2PWybnXZUSb/UAlz3SJLzoO l4vw==
X-Received: by 10.50.128.16 with SMTP id nk16mr17840944igb.15.1366881327990; Thu, 25 Apr 2013 02:15:27 -0700 (PDT)
Received: from ?IPv6:2601:9:4d80:89:21c1:6200:53b7:b135? ([2601:9:4d80:89:21c1:6200:53b7:b135]) by mx.google.com with ESMTPSA id p9sm33284379iga.7.2013.04.25.02.15.25 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 25 Apr 2013 02:15:27 -0700 (PDT)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <20130425075147.GN23770@besserwisser.org>
Date: Thu, 25 Apr 2013 02:15:23 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <0991993C-F710-4617-9333-07996AB2C700@gmail.com>
References: <6.2.5.6.2.20130423150008.0c2c0558@elandnews.com> <264F7B0D-C3FC-4C7C-A4D8-AF180DEC331F@virtualized.org> <20130425075147.GN23770@besserwisser.org>
To: Måns Nilsson <mansaxel@besserwisser.org>
X-Mailer: Apple Mail (2.1503)
Cc: spfbis@ietf.org, dnsext@ietf.org, S Moonesamy <sm+ietf@elandsys.com>
Subject: Re: [dnsext] Obsoleting SPF RRTYPE and deprecate all macros
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 09:15:31 -0000

On Apr 25, 2013, at 12:51 AM, Måns Nilsson <mansaxel@besserwisser.org> wrote:

> Subject: Re: [dnsext] Obsoleting SPF RRTYPE Date: Wed, Apr 24, 2013 at 05:12:07PM -0700 Quoting David Conrad (drc@virtualized.org):
> 
>> I personally believe deprecating the SPF RR is the wrong way to go, but I'm guessing that discussion has already been had.
> 
> Overloading the TXT record has always been a Really Bad Idea. I'm with
> drc here. While the draft probably is formally proper, it advocates the
> worng decision and I cannot support it.
> 
> OTOH, mixing up routing layer with application layer and gilding some
> IP addresses in favour of others is another Really Bad Idea; I'd rather
> throw the entire business of supposedly Good and Bad addresses out the
> window and start looking at the in-band data instead; ie. DKIM or similar.
> 
> While removing SPF can be seen as in support of above, I'm pretty certain
> that it in practice just will continue as usual, in TXT records. Better 
> then that we get to keep TXT records for free-form data.

Dear Måns,

Obsoleting SPF RR is not enough.  All macros should be deprecated as well.  tools.ietf.org/html/rfc3123 predates this poorly conceived scheme.

SPF was poorly conceived starting out as 2KB TXT XML encoded resource records in DNS where many expect direct use of TXT resource records permits wildcard replication.  This scheme also expects receivers to combine email-address local-parts with SPF domains to query other resource record sets.  SPF may induce high query overheads flooding caches with up to 100 transactions derived from email-address local-parts that normally vary in spam campaigns to also support DDoS attacks leveraging receiver's attempt to verify service authorizations.
(10 mechanisms x 10 (PTRs or As or AAAAs))  Permitting PTRs can also lead to connection resource exhaustion. The macro expansion can also leverage DNS name compression to further increase network amplifications against some unseen domain while spamming entirely different domains.

The macro scheme was not intended to validate EHLOs or provide NDN authorizations and inappropriately exposes aspects of message handling.  The review of SPF use also neglects whether major providers process these macros, many whom assure they do not.  Verifying the ELHO is seldom supported, where authorization permits by bulk sender's to dodge accountability.  Without genuine domain authentication SMTP is not safe.    

A safe and effective alternative is needed to safely provide a basis for assessing and reacting to abusive behavior.  XMPP offers examples of StartTLS used in a highly scalable fashion that can leverage OCSP and self published DANE Certs needed to support IPv6.  

Regards,
Douglas Otis