IETF Logo Mail Archive

Re: [dnsext] SPF, a cautionary tale

Douglas Otis <doug.mtview@gmail.com> Sun, 05 May 2013 01:30 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBF7E21F9699 for <dnsext@ietfa.amsl.com>; Sat, 4 May 2013 18:30:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FU2I9tK24Em1 for <dnsext@ietfa.amsl.com>; Sat, 4 May 2013 18:30:40 -0700 (PDT)
Received: from mail-pd0-f178.google.com (mail-pd0-f178.google.com [209.85.192.178]) by ietfa.amsl.com (Postfix) with ESMTP id F237221F8F1F for <dnsext@ietf.org>; Sat, 4 May 2013 18:30:39 -0700 (PDT)
Received: by mail-pd0-f178.google.com with SMTP id w11so1485856pde.37 for <dnsext@ietf.org>; Sat, 04 May 2013 18:30:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=Hh7J6nEg2pN5yrAzQ0M7T48q/Zt0YKBKTJ8O/bD0v64=; b=Yz42K80ak++llvkaAKWGDsJr0JtTghy+h1Lmu2TDV0CGdTesxhPlZZqG4DjQTPw8O1 ltUMH/KUC2B4yZSnKoVkKHjFwu+q//+SRU0BvbNnK1GXHHEyOiMl/qopKaEucMh//CdG nKvXe/lNZEJmQ/dRpoaf7JJGmb01gpNF9su2KHNfwdaStouu5DRnQBzY5EkiNROEY7z/ MTcfH4IczU7KznmFIuQHFUPGjGyVJWQqZlaMQbMcFMBdyQXQ6GBBBnvdROUdguHPlbtQ BLjUEpVk7g8fsEmfRr9dhTWNpJbhBJ0Zb1BrrC5lTv+9tF/YyyLq0+Bj3cxUnDLFPqe1 TbWw==
X-Received: by 10.68.27.9 with SMTP id p9mr19674071pbg.139.1367717439781; Sat, 04 May 2013 18:30:39 -0700 (PDT)
Received: from [192.168.1.194] (c-24-4-157-244.hsd1.ca.comcast.net. [24.4.157.244]) by mx.google.com with ESMTPSA id fx2sm19210046pac.4.2013.05.04.18.30.30 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 04 May 2013 18:30:33 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <5185b451.85f8420a.05ec.0c69SMTPIN_ADDED_BROKEN@mx.google.com>
Date: Sat, 04 May 2013 18:30:29 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <A9B47A87-A685-4149-87D9-EF52BF8041EF@gmail.com>
References: <8D23D4052ABE7A4490E77B1A012B63077516EA82@mbx-01.win.nominum.com> <20130503171843.39672.qmail@joyce.lan> <20130504133312.GA27772@vacation.karoshi.com.> <alpine.BSF.2.00.1305041103360.8602@joyce.lan> <5185b451.85f8420a.05ec.0c69SMTPIN_ADDED_BROKEN@mx.google.com>
To: bmanning@vacation.karoshi.com
X-Mailer: Apple Mail (2.1503)
Cc: dnsext@ietf.org, Ted.Lemon@nominum.com
Subject: Re: [dnsext] SPF, a cautionary tale
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 May 2013 01:30:45 -0000

On May 4, 2013, at 6:22 PM, bmanning@vacation.karoshi.com wrote:

> On Sat, May 04, 2013 at 11:16:38AM -0400, John R Levine wrote:
>>>> ... and interpreting SPF records requires more DNS queries than any 
>>>> other DNS application I know.
>> 
>>> 	So what you are saying is that SPF is a carefully crafted DNS
>>> 	DDoS attack because it was too hard to do the work inside your
>>> 	own protocol?
>> 
>> Yup, just like CNAME.
>> 
> 
> 	excuse me,  how do you reconcile your first statement; "more DNS queries
> 	than -any- other DNS application I know"  with "just like CNAME"
> 
> 	CNAME semantics and behaviour are well known and studied.  You get -ONE-
> 	redirect.   Other DNS tricks have been DNS-abusive and have been abandon
> 	(BITSTRING) or redesigned (KEY/SIG).
> 
>> In the decade that SPF has been around, the putative DDoS has never been 
>> observed in the wild, ever, despite Doug Otis warning us about it every 15 
>> minutes since 4408 was a draft, and a few experiments I did with stunt DNS 
>> servers that returned giant trees of SPF records very slowly.  It turns 
>> out everyone does loop breaking, just like for CNAME.  It's a sloppy 
>> design from a decade ago that succeeded because it made an end run around 
>> the DNS provisioning problems of "better" alternatives.
> 
> 	care to publish the experiment and its results?
> 	I'd like to replicate it.
> 
>>> 	What ever happened to "Be Conservative in What you Send..."
>> 
>> It lost out to Stuff That Actually Exists Works Better than Stuff That 
>> Doesn't.
> 
> 
> 	actually, not so much - there is certainly a whole lot of parasitic 
> 	behaviour in this decades work - there appears to be evidence that 
> 	the SPF RR type exists and works.
> 
>> A decade ago, SPF was far from my favorite authentication design, but now 
>> it exists, it's more widely used than most standards track protocols, and 
>> it would be silly to pretend otherwise.  Hence the spfbis charter to 
>> standardize existing practice.
> 
> 	Now that I have a hard time believing... "more widely used that most
> 	standards track protocols"  is a mightly big brush.  Perhaps you want
> 	to focus on SMTP authentication - then I would have an easier time 
> 	believing you.
> 
>> R's,
>> John

Dear Bill and John,

May I also add, SPF verification of the Mail From parameter provides authorization for Non-Delivery Notifications.  It does not provide any form of Authentication.

Regards,
Douglas Otis

v2.23.0 | Report a Bug | By Email