IETF Logo Mail Archive

Re: Last Call: <draft-ietf-spfbis-4408bis-19.txt> (Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1) to Proposed Standard

Scott Kitterman <scott@kitterman.com> Mon, 26 August 2013 23:29 UTC

Return-Path: <scott@kitterman.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAF4221F9655 for <ietf@ietfa.amsl.com>; Mon, 26 Aug 2013 16:29:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AGpau2UKlVC7 for <ietf@ietfa.amsl.com>; Mon, 26 Aug 2013 16:29:38 -0700 (PDT)
Received: from mailout02.controlledmail.com (mailout02.controlledmail.com [72.81.252.18]) by ietfa.amsl.com (Postfix) with ESMTP id D55C611E820D for <ietf@ietf.org>; Mon, 26 Aug 2013 16:29:38 -0700 (PDT)
Received: from mailout02.controlledmail.com (localhost [127.0.0.1]) by mailout02.controlledmail.com (Postfix) with ESMTP id 50BF620E40F6; Mon, 26 Aug 2013 19:29:38 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2007-00; t=1377559778; bh=+t2jAtIQe2+bIwXayslk2gGeGl1XJwTxkwnRghZvUcs=; h=From:To:Subject:Date:In-Reply-To:References:From; b=hM/ba7nxDBsAVPIb/YUjTkvBAjLN/LQAk+4/RBiqqDhlUnL4hkMpXn2dM3BRtzU/K qLppcEP33wqoAOHgDDsDDBL2W61rJayJgNAgCFRlvXF4qGc1Rv1xoscmd07UErfa2U 7CI80NYOz4Uor7OdQDr2rd/Ee4U+N4G66TA1fMl8=
Received: from scott-latitude-e6320.localnet (static-72-81-252-21.bltmmd.fios.verizon.net [72.81.252.21]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout02.controlledmail.com (Postfix) with ESMTPSA id 3962620E4043; Mon, 26 Aug 2013 19:29:37 -0400 (EDT)
From: Scott Kitterman <scott@kitterman.com>
To: ietf@ietf.org
Subject: Re: Last Call: <draft-ietf-spfbis-4408bis-19.txt> (Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1) to Proposed Standard
Date: Mon, 26 Aug 2013 19:29:36 -0400
Message-ID: <5564260.oH8aR0Fh9U@scott-latitude-e6320>
User-Agent: KMail/4.10.5 (Linux/3.8.0-29-generic; KDE/4.10.5; i686; ; )
In-Reply-To: <BE72B4FF-2948-4EB4-9A91-D026FC493B4F@gmail.com>
References: <9884B9CD-0ED3-4D89-A100-58D05EA4BC98@gmail.com> <1973922.OgEpFZ84lJ@scott-latitude-e6320> <BE72B4FF-2948-4EB4-9A91-D026FC493B4F@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-AV-Checked: ClamAV using ClamSMTP
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Aug 2013 23:29:44 -0000

On Monday, August 26, 2013 16:28:03 Douglas Otis wrote:
> On Aug 26, 2013, at 3:48 PM, Scott Kitterman <scott@kitterman.com> wrote:
> > On Monday, August 26, 2013 15:42:41 Douglas Otis wrote:
> >> Please also note that the PTR RR is not constrained in the current
> >> specification and can create erratic results.  It would be far safer to
> >> Perm error when overflowing on the number of PTR records.  There is no
> >> upper limit as some represent web farms hosting thousands of domains.
> > 
> > This exact issue was the subject of working group discussion.  Since the
> > number of PTR records is an attribute of the connect IP, it is under the
> > control of the sending party, not the domain owner.  A cap that resulted
> > in an error would, as a result, enable the sender to arbitrarily get an
> > SPF permerror in place of a fail if desired.  The WG considered that not
> > a good idea.
> 
> Dear Scott,
> 
> It is within the control of the Domain owner about whether to make use of
> the ptr mechanism in their SPF TXT.  Random ordering or responses is also
> controlled by the IP address owner and not the Domain owner.  The ptr
> mechanism may offer intermittent results that will be difficult to
> troubleshoot.  By offering a Perm error on a ptr overflow, the domain owner
> is quickly notified this mechanism should not be used and are not fooled by
> it working some of the time.  The greater concern is in regard to the over
> all response sizes when DNSSEC is used.  In that case, response sizes can
> grow significantly.  Allowing large responses to occur without producing an
> error seems like a risky strategy from the DDoS perspective.  That is also
> another reason for worrying about the use of TXT RRs.  How many large
> wildcard TXT RR exist, and if they do, who would be at fault when this
> becomes a problem for SPF?

Your conclusion is different than the one the working group reached.

Scott K

v2.23.0 | Report a Bug | By Email