Re: [dnsext] SPF, a cautionary tale

[bmanning@vacation.karoshi.com]

On Sun, May 05, 2013 at 05:34:00PM -0700, Murray S. Kucherawy wrote:
> On Sun, May 5, 2013 at 1:53 AM, <bmanning@vacation.karoshi.com> wrote:
> 
> > > If you're saying that the author of RFC 6686 is lying about the data he
> > > presents, including 400,000 domains that publish TXT SPF records and the
> > > few thousand that publish type 99, I'll pass the message along.
> >
> >         I'm saying that your claim of millions of messages is flawed.
> >         No as to the claims for RFC 6686, I'll be happy to take those
> > numbers
> >         at face value. (but, yeah, pass my concerns along)
> >         402,000 domains using SPF is barely statistically relevent,
> > considering
> >         there are over 350 million domains in existance.  just over 1%.
> >
> 
> Isn't "domains that appear to be sending mail" a more useful universe from
> which to sample than "registered domains"?


	Probably - but I was following Johns usage.


> 
>         apparently no one in the spfbis wg bothered to read
> > http://tools.ietf.org/html/rfc5507
> >         and there is no time limit to the choice of a good idea v. a bad
> > idea.
> >         a bad idea can and should be questioned at any time - there is no
> >         "its too late" arguemnt that should hold, particularly when there
> > is
> >         roughly 1% penetration of the service against the number of
> > existing domains.
> >
> 
> I'm an existence proof that your claim is false.  I've read RFC5507 and I'm
> familiar with its contents.  I've already said that, were we writing this
> anew, I think we'd likely be taking a different path here, one that would
> make the members of dnsext much happier.  But since the former is false,
> and there's a substantial deployed base much of which is unlikely to change
> its behaviour for various reasons, we have to look at this a different way.


	there is this wonderful thing called "O'Dells Law" which, paraphrased
	is:  "The installed based doesn't matter".   However, there is nothing
	preventing the SPF community from using TXT to store thier particularly
	unique stuff.  But there can be zero whining when other folks use TXT for
	their own purposes and confuse the heck out of SPF processors which get 
	(for thier purposes) malformed SPF data...

> > > Despite what the fantasists in dnsext imagine, there is no chance
> > > whatsoever of getting those hundreds of thousands of existing mail
> > systems
> > > to change the way they publish and check SPF data, particularly a change
> > > that has less than no operational benefit.  (Don't argue unless you know
> > > more people who run large mail systems than I do, and I meet pretty much
> > > all of them at MAAWG meetings.)  The only recent changes I can think of
> > > are that Yahoo used to check both TXT and type 99 and now only checks
> > TXT,
> > > and Micsosoft mail properties including Hotmail gave up on Sender ID and
> > > just check SPF.
> >
> >         my what a pessemistic/fatalistic attitude you have there.
> >         and again with your unsupported assertions.
> 
> His pessimism is founded in reality.  I have similar contact with the same
> people, and I reach the same conclusion.

	Sounds very much like the folks who hijacked net 1.0.0.0/8 for their
	wireless/NAT space.  (Or pretty much anyone who has "borrowed" IP space
	because it was too hard to get/justify the space properly.)  They have no
	incentive to change their installed base...  except for interoperability
	problems.

/bill

> 
> -MSK