IETF Logo Mail Archive

Re: Last Call: <draft-ietf-spfbis-4408bis-19.txt> (Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1) to Proposed Standard

Scott Kitterman <scott@kitterman.com> Mon, 26 August 2013 23:56 UTC

Return-Path: <scott@kitterman.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3930811E8107 for <ietf@ietfa.amsl.com>; Mon, 26 Aug 2013 16:56:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AY8P++epgf+3 for <ietf@ietfa.amsl.com>; Mon, 26 Aug 2013 16:56:50 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) by ietfa.amsl.com (Postfix) with ESMTP id 6CA6221F991F for <ietf@ietf.org>; Mon, 26 Aug 2013 16:56:47 -0700 (PDT)
Received: from mailout03.controlledmail.com (localhost [127.0.0.1]) by mailout03.controlledmail.com (Postfix) with ESMTP id D940E956001; Mon, 26 Aug 2013 19:56:46 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2007-00; t=1377561406; bh=lxtn0SAuWvfZ1GN236WGWG9fkcjyQY5+Ow8Wgh5Ut68=; h=In-Reply-To:References:Subject:From:Date:To:From; b=oZOqB0cqwtc3d4fktcVbQdPEsWjwR0xTrN3Sf9QbtnAOSdW/NwPfEocu2X0MEDjYr ryWkNfOETcHqZHQ/C5nXmzEIIaQyiY0Ogvh/RkCQIzNa+EcwwwZcOBR6VPBEDVsWZY HYB9DMbMU+vmOKTz69xH8x32u+/fyLkiSbWQ2xjo=
Received: from [192.168.111.106] (static-72-81-252-21.bltmmd.fios.verizon.net [72.81.252.21]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 8C710D0401E; Mon, 26 Aug 2013 19:56:46 -0400 (EDT)
User-Agent: K-9 Mail for Android
In-Reply-To: <5E537808-7B01-42FA-9109-3C8B8F26C1F4@gmail.com>
References: <9884B9CD-0ED3-4D89-A100-58D05EA4BC98@gmail.com> <1973922.OgEpFZ84lJ@scott-latitude-e6320> <BE72B4FF-2948-4EB4-9A91-D026FC493B4F@gmail.com> <5564260.oH8aR0Fh9U@scott-latitude-e6320> <5E537808-7B01-42FA-9109-3C8B8F26C1F4@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Subject: Re: Last Call: <draft-ietf-spfbis-4408bis-19.txt> (Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1) to Proposed Standard
From: Scott Kitterman <scott@kitterman.com>
Date: Mon, 26 Aug 2013 19:56:53 -0400
To: ietf@ietf.org
Message-ID: <ba997e72-0255-4b8d-984f-03736b8b2d53@email.android.com>
X-AV-Checked: ClamAV using ClamSMTP
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Aug 2013 23:56:57 -0000

Douglas Otis <doug.mtview@gmail.com> wrote:
>
>On Aug 26, 2013, at 4:29 PM, Scott Kitterman <scott@kitterman.com>
>wrote:
>
>> On Monday, August 26, 2013 16:28:03 Douglas Otis wrote:
>>> On Aug 26, 2013, at 3:48 PM, Scott Kitterman <scott@kitterman.com>
>wrote:
>>>> On Monday, August 26, 2013 15:42:41 Douglas Otis wrote:
>>>>> Please also note that the PTR RR is not constrained in the current
>>>>> specification and can create erratic results.  It would be far
>safer to
>>>>> Perm error when overflowing on the number of PTR records.  There
>is no
>>>>> upper limit as some represent web farms hosting thousands of
>domains.
>>>> 
>>>> This exact issue was the subject of working group discussion. 
>Since the
>>>> number of PTR records is an attribute of the connect IP, it is
>under the
>>>> control of the sending party, not the domain owner.  A cap that
>resulted
>>>> in an error would, as a result, enable the sender to arbitrarily
>get an
>>>> SPF permerror in place of a fail if desired.  The WG considered
>that not
>>>> a good idea.
>>> 
>>> Dear Scott,
>>> 
>>> It is within the control of the Domain owner about whether to make
>use of
>>> the ptr mechanism in their SPF TXT.  Random ordering or responses is
>also
>>> controlled by the IP address owner and not the Domain owner.  The
>ptr
>>> mechanism may offer intermittent results that will be difficult to
>>> troubleshoot.  By offering a Perm error on a ptr overflow, the
>domain owner
>>> is quickly notified this mechanism should not be used and are not
>fooled by
>>> it working some of the time.  The greater concern is in regard to
>the over
>>> all response sizes when DNSSEC is used.  In that case, response
>sizes can
>>> grow significantly.  Allowing large responses to occur without
>producing an
>>> error seems like a risky strategy from the DDoS perspective.  That
>is also
>>> another reason for worrying about the use of TXT RRs.  How many
>large
>>> wildcard TXT RR exist, and if they do, who would be at fault when
>this
>>> becomes a problem for SPF?
>> 
>> Your conclusion is different than the one the working group reached.
>
>Dear Scott, 
>
>Do you recall whether DNSSEC had been considered?

My recollection is that it was discussed. I believe it was concluded that SPF would benefit from the enhanced security associated with DNSSEC.  SPF doesn't seem to suffer from any unique problems associated with the potential for a larger payload. 

Scott K

v2.23.0 | Report a Bug | By Email