IETF Logo Mail Archive

Re: [spfbis] Last Call: <draft-ietf-spfbis-4408bis-19.txt> (Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1) to Proposed Standard

Mark Andrews <marka@isc.org> Wed, 21 August 2013 23:31 UTC

Return-Path: <marka@isc.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3B1411E8143 for <ietf@ietfa.amsl.com>; Wed, 21 Aug 2013 16:31:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.322
X-Spam-Level:
X-Spam-Status: No, score=-2.322 tagged_above=-999 required=5 tests=[AWL=0.277, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lb+0RntqEG1S for <ietf@ietfa.amsl.com>; Wed, 21 Aug 2013 16:31:23 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id EC27E11E8261 for <ietf@ietf.org>; Wed, 21 Aug 2013 16:31:22 -0700 (PDT)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id 43CF2C94C8; Wed, 21 Aug 2013 23:31:10 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1377127882; bh=Jj/PSCf1QaxPUhuMiavWEzqkpTbGtO66iQ7/BYHE+TQ=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=ZuyGO2KTOM7jrltHTtmk/Go4VSeYAB+unUpvVEd1hps+RCZaVfOiVNcXADZvkoiWz aCxi1cOqMoOJmIF79izEz7f73N7QWqFKsekpzSCmJic/QmMcR+O1/n5hvgO+QFD1Vs hTF1obAfLN7ecMAEh131Mmn+Y+LGz+24IpTzsNBQ=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP; Wed, 21 Aug 2013 23:31:10 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 5F8A01602E9; Wed, 21 Aug 2013 23:31:22 +0000 (UTC)
Received: from drugs.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 302371602B4; Wed, 21 Aug 2013 23:31:22 +0000 (UTC)
Received: from drugs.dv.isc.org (localhost [IPv6:::1]) by drugs.dv.isc.org (Postfix) with ESMTP id 39C5338C0A87; Thu, 22 Aug 2013 09:31:03 +1000 (EST)
To: Scott Kitterman <scott@kitterman.com>
From: Mark Andrews <marka@isc.org>
References: <20130819131916.22579.36328.idtracker@ietfa.amsl.com> <13637683.gDTVOaM8nE@scott-latitude-e6320> <20130821133233.D0A6B38BE02F@drugs.dv.isc.org> <7917527.VmCQD3a6Q3@scott-latitude-e6320> <20130821214832.1C92538C0230@drugs.dv.isc.org> <20130821222514.A617138C05EC@drugs.dv.isc.org> <0c3746c3-dac1-471f-bd07-8faf20481337@email.android.com>
Subject: Re: [spfbis] Last Call: <draft-ietf-spfbis-4408bis-19.txt> (Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1) to Proposed Standard
In-reply-to: Your message of "Wed, 21 Aug 2013 19:07:25 -0400." <0c3746c3-dac1-471f-bd07-8faf20481337@email.android.com>
Date: Thu, 22 Aug 2013 09:31:03 +1000
Message-Id: <20130821233103.39C5338C0A87@drugs.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 23:31:28 -0000

In message <0c3746c3-dac1-471f-bd07-8faf20481337@email.android.com>, Scott Kitterman writes:
> 
> 
> Mark Andrews <marka@isc.org> wrote:
> >
> >In message <20130821214832.1C92538C0230@drugs.dv.isc.org>, Mark Andrews
> >writes:
> >> > It's primarily an issue for applications.  To the DNS, it's exactly
> >what it 
> >> > is, a TXT record.
> >
> >I can hand update of A and AAAA records to the machine.
> >I can hand update of MX records to the mail adminstrator.
> >I can hand update of SPF records to the mail adminstrator.
> >I can hand update of TXT records to ??????
> 
> No one because it has multiple uses.  This is true whether SPF exists or not.  SPF use of RRTYPE TXT for SPF records mak
> es that neither better nor worse.
> 
> You could publish:
> 
> example.com IN TXT v=spf1 redirect=_spf.example.com
> _spf.example. com IN TXT v=spf1 [actual content here]
> 
> Then delegate _spf.example.com to the mail administrator.  Problem solved.

No, it is NOT solved.  You have to trust *everyone* with the ability
to update TXT not to remove / alter that record.  You can't give someone
you don't trust the ability to update TXT.

With a published SPF record and SPF lookup first stopping on success
or lookup failure (SERVFAIL) you can give update control of TXT to
someone you don't trust enough to not remove / alter the SPF TXT
record.

You keep telling us the TXT is just another record in the DNS.  Well
the DNS is managed at the granuality of the TYPE.  4408bis is forcing
sub-type management to be developed and deployed to maintain the
status quo.  TXT is no longer "just another record in the DNS" with
4408bis as it currently stands.

And to Google your motto is "Do No Evil".  Publishing a TXT SPF record
without publish a SPF SPF record is "Evil" as it encourages other to
do the same.

Mark

> Scott K
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email