IETF Logo Mail Archive

Re: [secdir] [spfbis] draft-ietf-spfbis-4408bis-14

Douglas Otis <doug.mtview@gmail.com> Thu, 23 May 2013 19:29 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BD0E21F90AC; Thu, 23 May 2013 12:29:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QMCSC+6uBqDz; Thu, 23 May 2013 12:28:57 -0700 (PDT)
Received: from mail-pd0-f173.google.com (mail-pd0-f173.google.com [209.85.192.173]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4DD21F96C7; Thu, 23 May 2013 11:58:20 -0700 (PDT)
Received: by mail-pd0-f173.google.com with SMTP id v14so2005229pde.32 for <multiple recipients>; Thu, 23 May 2013 11:58:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=tFHq9RbIQfrmwJ6DJiQlDKjQC99NSvu8+vlNYB1zdpg=; b=ckf1jYLsn0EcIjv/BkhPdAjeeWquay0NaGX/asA2IRZHV5cD4e7XfeFZPGmt3zPw5d iJ/GxuzmYrnTW1Djl9RnwkG2xCNeqHk7+vjJY4K+RsNK9vUBFYKz0mC9NI8r6Uk8Gg4k bl1AJair+kQapDdetVNZBJcZ5rTt4IjlB4VWpmrc4vJrKmR1tvAmT9E7xm5UOQx0pd8S 0Y/JL8ZIEsSORQYH8+XIIsFN29qSOIbk1cfe0aixEjsdhWTUCoxYMsF16yNMw1o4sRws YNmcVAykgWrw+33uLFsj2Rd1nECnVlMTw/rYXcNa91mKJZwGgO9Ayt1fbpvim1gy+JE9 oxhA==
X-Received: by 10.68.164.226 with SMTP id yt2mr14310305pbb.203.1369335500037; Thu, 23 May 2013 11:58:20 -0700 (PDT)
Received: from [192.168.1.194] (c-24-4-157-244.hsd1.ca.comcast.net. [24.4.157.244]) by mx.google.com with ESMTPSA id if5sm12729646pbb.31.2013.05.23.11.58.16 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 23 May 2013 11:58:17 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <6.2.5.6.2.20130523095247.0dc5a520@elandnews.com>
Date: Thu, 23 May 2013 11:58:17 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <7E10E46C-D524-41F2-9546-09DC7E3426A1@gmail.com>
References: <CAMm+LwjoH77H9cRQseQF09rDLwjtViZW_tGp71v0-WaZujoYtA@mail.gmail.com> <6.2.5.6.2.20130523095247.0dc5a520@elandnews.com>
To: S Moonesamy <sm+ietf@elandsys.com>
X-Mailer: Apple Mail (2.1503)
X-Mailman-Approved-At: Fri, 24 May 2013 01:43:22 -0700
Cc: spfbis@ietf.org, draft-ietf-spfbis-4408bis.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] [spfbis] draft-ietf-spfbis-4408bis-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2013 19:29:11 -0000

On May 23, 2013, at 10:01 AM, S Moonesamy <sm+ietf@elandsys.com> wrote:

> Hi Phillip,
> At 09:58 26-04-2013, Phillip Hallam-Baker wrote:
>> The document is clear and describes the SPF mechanism effectively. The only quibble that I could find is that repeated mentions are made of limiting the number of 'DNS queries' without specifying whether these are individual queries or recursive. The count will come out rather differently if looking up TXT/x.example.com counts as one lookup or three. I think it is reasonably clear that this is one but could not find an explicit statement to that effect.
>> 
>> On the security side, the document addresses all the mail issues that I can remember at this point and rather more besides.
>> 
>> I think we have reached the point of diminishing returns.
>> 
>> The document provides a clear enough warning to people configuring SPF records as to the consequences of getting it wrong which is the main concern. The filtering services will know their business well enough to minimize false positives.
>> 
>> Hopefully the email infrastructure will evolve over time towards concentrating on the more policy friendly approaches and it will be possible to simplify the mechanism at a future date.
> 
> There are two comments about the security directorate review of draft-ietf-spfbis-4408bis-14 at http://www.ietf.org/mail-archive/web/spfbis/current/msg03723.html and http://www.ietf.org/mail-archive/web/spfbis/current/msg03726.html
> 
> The SPFBIS WG does not plan to make any change to draft-ietf-spfbis-4408bis.  Please let me know if you consider that the security directorate review has not been addressed.

Dear SM and Scott,

Greater clarity would have been achieved by separating transactions involving the SPF checkhost process (spfch-transactions) which may then generate some number of recursive dns server transactions (rdns-transactions).

A transaction made at the spfch level will result in some number of transactions at the rdns level, which could then be described as representing some number of separate DNS queries.

Confusion has been caused by conflating checkhost and recursive DNS transactions with that of non-recursive DNS which may involve dozens of unique queries to resolve any particular resource.  This is bad and is a continuing source of confusion.

A practical means to simplify SPF's impact on a receiver's DNS is to first ignore SPF records containing macro expressions.  This happens and this may explain the nearly 100% lack of macro use.  They then limit the number of SPF resource records and MX mechanisms and ignore the PTR mechanism.  Appreciate what receivers consider a reasonable demand on their resources that offers cache-able results.

Regards,
Douglas Otis

v2.23.0 | Report a Bug | By Email