Re: [dnsext] Deprecating SPF
S Moonesamy <sm+ietf@elandsys.com> Tue, 20 August 2013 18:38 UTC
Return-Path: <sm@elandsys.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23BCE11E80DF; Tue, 20 Aug 2013 11:38:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.449
X-Spam-Level:
X-Spam-Status: No, score=-102.449 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kM9-DDV9BJmi; Tue, 20 Aug 2013 11:38:33 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id A8A7611E812F; Tue, 20 Aug 2013 11:38:32 -0700 (PDT)
Received: from SUBMAN.elandsys.com ([197.226.234.26]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id r7KIc8uK028387 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Aug 2013 11:38:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1377023903; bh=Sv2/3w0QtBWCaWv4IqgxOwuIZ4KLQVhbKrq7HRrTKYc=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=sKPkKo/7vEBVo11hQFvp2jk6zefhXJdSw/SpggksQBV8kNo3to+QBnbs2KG7YuFRx WiXx37oXUifLyQN4JDFNcgbChalfFEeqNxR6Ohr72WGQDYhHKHagYouKJtLZ+yXrWS v4NjDUZbpHuiS6mQZgKiF/CJOh/aUmARyrjy9H1Y=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1377023903; i=@elandsys.com; bh=Sv2/3w0QtBWCaWv4IqgxOwuIZ4KLQVhbKrq7HRrTKYc=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=d7Q124M7iq+YSbXrWeIJuEIyrEicR/XQNH8Nnh1IQRMepnKc7HlLW2gzHkKjtO1oW vHHJT7Kl1e9NeCExNSurtxzneb3glRcZLvXQrWa459GDcbIPkha7Dh9a4UwSnwJoey KRe6LQui6dhGp9ibfXdIRyXeNnFFOLM+oQKfI2AM=
Message-Id: <6.2.5.6.2.20130820110057.0bead1e8@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Tue, 20 Aug 2013 11:36:55 -0700
To: Patrik Fältström <paf@frobbit.se>
From: S Moonesamy <sm+ietf@elandsys.com>
Subject: Re: [dnsext] Deprecating SPF
In-Reply-To: <933357EA-6472-4C77-AED3-E6411BC684B6@frobbit.se>
References: <E3DE33F3-B0A5-494B-9202-499E16ECCFB1@virtualized.org> <20130819222037.GA55876@mx1.yitter.info> <93130B0B-5C37-45EE-8380-AF209CA54B8F@frobbit.se> <521385AA.9080401@qti.qualcomm.com> <933357EA-6472-4C77-AED3-E6411BC684B6@frobbit.se>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Cc: Pete Resnick <presnick@qti.qualcomm.com>, dnsext@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 18:38:35 -0000
Hi Patrik,
I am copying the message to ieft@ as there is an ongoing Last Call.
At 08:28 20-08-2013, Patrik Fältström wrote:
>The consensus related to how to fix RFC 4408
>will be very rough. That is clear. And I feel
>sorry for responsible AD and IESG to be forced
>to make a decision that such a large rough part
>of the rough consensus will not be happy with.
>Regardless of what the decision will be.
>
>
>An architectural correct solution is to change:
>
>OLD:
>
> An SPF-compliant domain name SHOULD have SPF records of both RR
> types. A compliant domain name MUST have a record of at least one
> type. If a domain has records of both types, they MUST have
> identical content.
>
>NEW:
>
> An SPF-compliant domain name SHOULD have SPF records of both RR
> types. A compliant domain name MUST have a record of at type SPF,
> code 99. Lookup MUST first be of type SPF and SHOULD if no response
> is received be of type TXT.
>
>
>Reasoning: The use of the TXT record for SPF is
>not sounds for a number of reasons:
>
>1. The TXT record already can have multiple
>fields, and it is very unfortunate that the SPF
>use of TXT records do not use that feature.
>Instead the SPF specification do say that the
>first field should be used, and if there are
>more than one they should be concatenated. After
>one have one and only one field, that field
>should be parsed and divided in fields.
>
>2. It is even (compared to some other TXT
>related documents) pointed out in RFC 4408 that
>collisions as described in RFC 5507 might happen.
>
>3. It is also pointed out that there might be
>size issues with the records, and experience
>from use of NAPTR show that selecting a
>preferred mechanism that potentially blows the
>size of the RRSet is not very wise. This is btw
>why the URI RR Type do not use a prefixed length
>"text" field in the RDATA but do set the string
>the URI is to the full length of the RDATA, i.e.
>without any 255 byte limitation.
>
>4. DNS is by design (as pointed out in RFC 5507)
>created with a tuple consisting of owner, type
>and class for selection by the client what
>record set to be retrieved. This RRSet
>architecture is something that comes back not
>only in the query/response architecture of the
>DNS protocol, but also in the DNSSEC
>architecture where RRSets are the units that are
>signed. Not explicitly ensuring an RRSet is used
>for SPF (and nothing more) is an architectural choice I strongly am against.
>
>
>Because of these reasons, I do believe the
>choice is wrong to say that TXT MUST be
>implemented and instead I am in favor of having
>type SPF be mandatory for interoperability with fallback to lookup of TXT.
From Section 3.1 of draft-ietf-spfbis-4408bis-19:
"SPF records MUST be published as a DNS TXT (type 16) Resource Record
(RR) [RFC1035] only. The character content of the record is encoded
as [US-ASCII]. Use of alternative DNS RR types was supported in
SPF's experimental phase, but has been discontinued."
There is a message from Pete Resnick about RFC
2119 usage (
http://www.ietf.org/mail-archive/web/spfbis/current/msg03642.html
). The interpretation of "SHOULD" and MUST" in
that part of RFC 4408 was an issue which the SPFBIS WG discussed about.
It would be better to have the discussion on the
ietf@ mailing list as that's the venue which the
IESG identified for last Call comments.
Regards,
S. Moonesamy
- Re: [dnsext] Deprecating SPF S Moonesamy
- Re: [dnsext] Deprecating SPF Patrik Fältström
- Last call of draft-ietf-spfbis-4408bis-19 Patrik Fältström
- Re: [dnsext] Deprecating SPF S Moonesamy
- Re: [dnsext] Deprecating SPF Patrik Fältström
- Re: Last call of draft-ietf-spfbis-4408bis-19 S Moonesamy
- Re: [dnsext] Deprecating SPF Mark Andrews
- Fwd: Re: [dnsext] Deprecating SPF Mark Andrews