IETF Logo Mail Archive

Re: Last Call: <draft-ietf-spfbis-4408bis-19.txt> (Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1) to Proposed Standard

Douglas Otis <doug.mtview@gmail.com> Thu, 12 September 2013 04:55 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FFB321F9BF0 for <ietf@ietfa.amsl.com>; Wed, 11 Sep 2013 21:55:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vZxY+0-ZBPn1 for <ietf@ietfa.amsl.com>; Wed, 11 Sep 2013 21:55:56 -0700 (PDT)
Received: from mail-pd0-x229.google.com (mail-pd0-x229.google.com [IPv6:2607:f8b0:400e:c02::229]) by ietfa.amsl.com (Postfix) with ESMTP id 6EC4221F9C06 for <ietf@ietf.org>; Wed, 11 Sep 2013 21:55:56 -0700 (PDT)
Received: by mail-pd0-f169.google.com with SMTP id r10so10250758pdi.0 for <ietf@ietf.org>; Wed, 11 Sep 2013 21:55:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:date:message-id:cc:to:mime-version; bh=5WvFwXfMc8IBXa20zwjAbvnQYz3uVB2otnmjHHIN2Mk=; b=t9Zj0wwpHt+F3waDpBKlq8WaqDxB++T17oSGRER403x37xy1Pc+nBXBvrfOg9JflOw X4yM2xYZ4W76J9eEO61ZpRIpCd3c2drLbqs6gz6iiSvoXxJNHk3K42Z1GaoLG0nQnfCJ LQWAIheBPgzn2DAqw9oGXE9uR5rfiTvf1vfJRez+I2ZaowlqYVkwKJv7sF++VzzWiA4/ +pOyqPCPuaXc3/TaWz6JBuh3PTSVb3mgzt/TVZP+/dQPBmGreTYZvAcJZ595mnrDWQCf ZsfSqaYig8ARXQBQuX8iNgc9rAQ9j3vbWuA8zKkvoDJne9o2veKqfi+Q6wuFbSIZ7qtp lXMQ==
X-Received: by 10.66.243.196 with SMTP id xa4mr779713pac.174.1378961754888; Wed, 11 Sep 2013 21:55:54 -0700 (PDT)
Received: from ?IPv6:2601:9:7680:308:9970:312c:70d0:6973? ([2601:9:7680:308:9970:312c:70d0:6973]) by mx.google.com with ESMTPSA id hx1sm1944184pbb.35.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 11 Sep 2013 21:55:53 -0700 (PDT)
From: Douglas Otis <doug.mtview@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BF4A2C38-FA23-41EA-BD32-8CAF9BD31B43"
Subject: Re: Last Call: <draft-ietf-spfbis-4408bis-19.txt> (Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1) to Proposed Standard
Date: Wed, 11 Sep 2013 21:55:50 -0700
Message-Id: <6FC7A544-0AB5-4BC0-A0BF-D0D8D740D3B8@gmail.com>
To: IETF Discussion <ietf@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
X-Mailer: Apple Mail (2.1508)
Cc: SM <sm+ietf@elandsys.com>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2013 04:55:58 -0000

Recommended text is as follows:

4.6.4.  DNS Lookup Limits

Was:
,--
SPF implementations MUST limit the total number of mechanisms and modifiers ("terms") that cause any DNS query to 10 during SPF evaluation.  Specifically, the "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier count against this collective limit.  The "all", "ip4", and "ip6" mechanisms do not count against this limit.  If this number is exceeded during a check, a "permerror" MUST be returned.  The "exp" modifier does not count against this limit because the DNS lookup to fetch the explanation string occurs after the SPF record evaluation has been completed.
'--

Change to:
,---
SPF does not directly limit the number of DNS lookup transactions.  Instead, the number of mechanisms and the modifier term "redirect" MUST be limited to no more than 10 instances within the evaluation process.  The mechanisms "ip4", "ip6", and "all" and the "exp" modifier are excluded from being counted in this instance limitation. If this instance limit is exceeded during the evaluation process, a "permerror" MUST be returned.
'---

5.  Mechanism Definitions

Was:
,--
Several mechanisms rely on information fetched from the DNS.  For these DNS queries, except where noted, if the DNS server returns an error (RCODE other than 0 or 3) or the query times out, the mechanism stops and the topmost check_host() returns "temperror".  If the server returns "domain does not exist" (RCODE 3), then evaluation of the mechanism continues as if the server returned no error (RCODE 0) and zero answer records.
‘---

Add:
,---
See the recommended limits on "void lookups" defined in Section 4.6.4. DNS Lookup Limits.
‘---

3.4.  Record Size

Was:

,---
Note that when computing the sizes for replies to queries of the TXT format, one has to take into account any other TXT records published at the domain name.  Similarly, the sizes for replies to all queries related to SPF have to be evaluated to fit in a single 512 octet UDP packet.
‘---

Change to:
,---
Note that when computing the sizes for replies to queries of the TXT format, one has to take into account any other TXT records published at the domain name.  Similarly, the sizes for replies to all queries related to SPF have to be evaluated to fit in a single 512 octet DNS Message.
‘---

Add to:
11.5.3.  Macro Expansion
,---
It is not within SPF’s purview whether IPv6 or DNSSEC is being used.  IPv6 (RFC2460) increased the minimum MTU size to 1280 octets.  DNSSEC is deployed with EDNS0 (RFC6891) to avoid TCP fallback.  EDNS0 suggests an MTU increase between 1280 and 1410 octets offers a reasonable result starting from a request of 4096 octets.  A 1410 MTU offers a 2.4 times payload increase over the assumed MTU of 576 octets and is widely supported by Customer Premise Equipment.  With increased MTUs being used with DNS over UDP, network amplification concerns increase accordingly.

SPF macros can utilize SPF parameters derived from email messages that can modulate the names being queried in several ways without publishing additional DNS resources.  The SPF macro feature permits malefactors a means to covertly orchestrate directed DDoS attacks from an array of compromised systems while expending little of their own resources.

Since SPF does not make use of a dedicated resource record type or naming convention, this leaves few solutions available to DNS operations in offering a means to mitigate possible abuse.  This type of abuse becomes rather pernicious when used in conjunction with synthetic domains now popular for tracking users without using web cookies.

However, email providers can mitigate this type of abuse by ignoring SPF records containing macros.  Very few domains make use of macros, and ignoring these records result in neutral handling.  Some large providers have admitted they make use of this strategy without experiencing any notable problem.  AOL began their support of SPF by saying they would use SPF to construct whitelists prior to receipt of email.  Clearly, such whitelisting practices tends to preclude benefits derived from macro use.
‘---

Regards,
Douglas Otis

v2.23.0 | Report a Bug | By Email