Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14
Alessandro Vesely <vesely@tana.it> Thu, 18 April 2013 17:44 UTC
Return-Path: <vesely@tana.it>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5770121F8F2E for <spfbis@ietfa.amsl.com>; Thu, 18 Apr 2013 10:44:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.337
X-Spam-Level:
X-Spam-Status: No, score=-4.337 tagged_above=-999 required=5 tests=[AWL=0.382, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RiEjMtzW9eWl for <spfbis@ietfa.amsl.com>; Thu, 18 Apr 2013 10:44:14 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by ietfa.amsl.com (Postfix) with ESMTP id 5C65D21F8F63 for <spfbis@ietf.org>; Thu, 18 Apr 2013 10:44:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=beta; t=1366307053; bh=ry7t0ImCoO+La5bT0bFxc0tVEtbBnZW3nm0pBVbyHCw=; l=8416; h=Date:From:To:References:In-Reply-To; b=Ty0u53eccBAaRImwxvabTtFvKf3LkrcmIorX1efZT5BE6DmdSHxglTa2ydC1VMMkJ m2/1qnHuQwruWBUTPDvqRWT/XiJUNBTfGmaNoMFaxCA+1Ka5mOe2ol6LrQ+sTQ2JbP Ny2w6X9Z8B4Scyuvluu63PAv9DnGs20Urx+tejSY=
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.101] (pcale.tana [172.25.197.101]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA; Thu, 18 Apr 2013 19:44:13 +0200 id 00000000005DC042.00000000517030ED.000050A5
Message-ID: <517030ED.20501@tana.it>
Date: Thu, 18 Apr 2013 19:44:13 +0200
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: spfbis@ietf.org
References: <20130409062431.GK24624@mx1.yitter.info> <9424963.YHzqPUZEKJ@scott-latitude-e6320>
In-Reply-To: <9424963.YHzqPUZEKJ@scott-latitude-e6320>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2013 17:44:16 -0000
On Wed 17/Apr/2013 03:51:07 +0200 Scott Kitterman wrote: > On Tuesday, April 09, 2013 02:24:32 AM Andrew Sullivan wrote: > >> WGLC will close at 2014-04-24 00:00 UTC. >> >> SM will be the shepherd for this document. >> >> Best regards, >> >> Andrew (for the chairs) > > Just as a reminder, we're ~half way through the WGLC period Oh, you mean the close date was a typo? Here's my notes, mostly nits. I pasted lots of text from the I-D, so that issues can be evaluated even without getting at the document. *Abstract* Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on [...] That was good in 2004, now SPF exists already. A possible replacement could be, e.g.: This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby an Administration Management Domain (ADMD) can explicitly authorize the hosts that are allowed to use its domain names. A receiving host can check such authorization based on the IP address of the sending client and the "MAIL FROM" of a message or the domain given on the SMTP HELO/EHLO commands. 1. *Introduction* The current email infrastructure has the property that any host injecting mail into the system can use any DNS domain name it wants in each of the various identifiers specified by [RFC5321] and [RFC5322]. This sounds oldish too. SPF is not the only email authentication method. Perhaps we could use the introduction to explain the differences. 1.2. *check_host()* Section 4 introduces an algorithm to evaluate an SPF policy against an arriving email transaction. s/arriving email transaction/incoming email message/? 2.5. *Location of Checks* The authorization check SHOULD be performed during the processing of the SMTP transaction that sends the mail. s/sends/receives/? 3. *SPF Records* Do we wish to give an example of multi-line format in the zone file? 4.3. *Initial Processing* Internationalized domain names MUST be encoded as A-labels, as described in Section 2.3 of [RFC5890].on 2.3 of [RFC5890]. s/on 2.3 of [RFC5890].// once. 4.4. *Record Lookup* If all DNS lookups that are made return a server failure (RCODE 2), or other error (RCODE other than 0 or 3), or time out, then check_host() terminates immediately with the result "temperror". That "all" seems to refer to the SPF and TXT types. I'd say: If the query returns a server failure (RCODE 2), 4.6.4. *DNS Lookup Limits* These limits are per mechanism or macro in the record, and are in addition to the lookup limits specified above. Hm... above where? Perhaps splitting the section into, say: 4.6.4.1 *Total Limits*, and 4.6.4.2 *Particular cases* would allow to specify it more clearly. If you do so, then move the following (last two) paragraphs up. 4.7. *Default Result* OLD Note that records SHOULD always use either a "redirect" modifier or an "all" mechanism to explicitly terminate processing. NEW The RECOMMENDED practice is to use either a "redirect" modifier or an "all" mechanism to explicitly terminate the record. (A reader has no way to actually "note" that, and modifiers don't always terminate processing.) 5. *Mechanism Definitions* OLD Designated sender mechanisms are used to designate a set of <ip> NEW Designated-sender mechanisms are used to qualify a set of <ip> (Just avoiding to explain a term with itself.) SPF implementations on IPv6 servers need to handle both "AAAA" and "A" secords, for clients on IPv4 mapped IPv6 addresses [RFC4291]. s/secords/records/ 5.2. *"include"* <vspace/> <!-- FIXME: prevent automatic line break after '"mx:' --> I have no suggestions. Do we need it? 5.5. *"ptr" (do not use)* After many years of SPF deployment experience it has been concluded it is unnecessary and more reliable alternatives used instead. Maybe it's me, or the page break, but I think a comma after "experience" would make it more readable. 5.6. *"ip4" and "ip6"* Production rules can be set as mentioned in http://www.ietf.org/mail-archive/web/spfbis/current/msg03266.html 6.1. *redirect: Redirected Query* There is no statement on whether redirect= can be applied by an "include" mechanism. 6.2. *exp: Explanation* If check_host() results in a "fail" due to a mechanism match (such as "-all"), and the "exp" modifier is present, then [...] This is incomprehensible after the reorganization. I'd add "and the verifier is going to reject the message", and a link to Section 8.4 Fail. 8. Result Handling As such, there is no normative requirement for message handling in response to any particular result. This section is provided to present a complete picture of the likely cause of each result, and where available, the experience gained during experimental deployment. Please remove those two sentences, as they are not true. We could say there is no normative requirement for rejecting a message. But, for example, for softfail we correctly have normative requirements: Receiving software SHOULD NOT reject the message based solely on this result, but MAY subject the message to closer scrutiny than normal. This not holds for 10.2. Receivers too. 8.2. *Neutral* A "neutral" result indicates that although a policy for the identity was discovered, there is no definite assertion about the (positive or negative) about the client. Remove the first "about the". 8.7. *Permerror* It is also possible that this result is generated by certain SPF clients due to the input arguments having an unexpected format; see Section 4.8. I'd s/client/verifiers/. Raw "client" throughout the document refers to SMTP clients. "SPF client" is mentioned a few times and could cause confusion. There is no mention of "exp". Is its usage permitted/recommended? Missing reference to Appendix H.3, but see below. 9.2. *SPF Results in the Authentication-Results Header Field* It is, however, possible to add CFWS in the "reason" part of an Authentication-Results header field and provide the equivalent information, if desired. s/CFWS/key-value pairs/? 10. Effects on Infrastructure a comprehensive list of what such entities SHOULD do in light of this document. Is that /meant/ to be normative? 10.1.2. Administrator's Considerations changes are common, it is better to use the less resource intensive mechanisms like "ip4" and "ip6" over "a" or "a" or "mx". s/"a" or "mx"/"a" over "mx"/ The hostname is generally the identity used in the 5321.HELO/.EHLO command. In the case of messages with a null 5321.MailFrom, this is used as the domain for 5321.MailFrom SPF checks, in addition to being used in 5321.HELO/.EHLO based SPF checks. "hostname" is called "domain" in the previous paragraph, and the long slash-dot form of the names is used. In addition to reword that, it may be worth to note that x@relay.example.com can be used as an address even if there's no corresponding MX. 10.2. *Receivers* As stated elsewhere in this document, there is no normative requirement for specific handling of a message based on any SPF result. See 8. Result Handling above. 11.1. *Processing Limits* Using SPF clients also allows the attacker to hide the true source of the attack. s/clients/verifiers/. 11.5.1. *Recorded Results* This information, passed to the receiver in the Received-SPF: or Authentication-Results: trace fields, may be returned to the client MTA as an SMTP rejection message. If such an SMTP rejection message s/may/can/ if needed. Appendix H. *Local Policy Considerations* Do we still need to have this text in an appendix? It seems to be possible to insert each subsection within the relevant subsection of Section 8. IMHO that would improve clarity. Considerations for temperror are missing, anyway. Appendix I. *Protocol Status* s/techincal/technical/ P.S.: what widely deployed extensions to SPF? Appendix J. *Change History* Resolved Section 2.5.7 PermError on invalid domains after macro expansion errata in favor of documenting that different clients produce different results. s/clients/verifiers/.
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 John Levine
- [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Andrew Sullivan
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Dotzero
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Tim Draegen
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Dotzero
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Murray S. Kucherawy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Tim Draegen
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 S Moonesamy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Commerco WebMaster
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Alessandro Vesely
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 John Levine
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 John Levine
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Alessandro Vesely
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Stuart Gathman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Alessandro Vesely
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Kurt Andersen
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… John Levine
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Alessandro Vesely
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Alessandro Vesely
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Murray S. Kucherawy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Alessandro Vesely
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Murray S. Kucherawy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Murray S. Kucherawy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Hector Santos
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Murray S. Kucherawy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Murray S. Kucherawy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Stuart Gathman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Stuart Gathman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 -… Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 S Moonesamy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Stuart Gathman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 S Moonesamy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Dave Crocker
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 John Levine
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Murray S. Kucherawy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Alessandro Vesely
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Murray S. Kucherawy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Alessandro Vesely
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Murray S. Kucherawy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Douglas Otis
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 S Moonesamy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Stuart D Gathman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Murray S. Kucherawy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Murray S. Kucherawy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 S Moonesamy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Murray S. Kucherawy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Dave Crocker
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Scott Kitterman
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Douglas Otis
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Murray S. Kucherawy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Dave Crocker
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 John Leslie
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Dave Crocker
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Murray S. Kucherawy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Douglas Otis
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Andrew Sullivan
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Dave Crocker
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 S Moonesamy
- Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14 Mark Andrews
- [spfbis] The RRTYPE topic (was: WGLC: draft-ietf-… Andrew Sullivan
- Re: [spfbis] The RRTYPE topic (was: WGLC: draft-i… Mark Andrews
- Re: [spfbis] The RRTYPE topic (was: WGLC: draft-i… Murray S. Kucherawy
- Re: [spfbis] The RRTYPE topic (was: WGLC: draft-i… Mark Andrews
- Re: [spfbis] The RRTYPE topic (was: WGLC: draft-i… Andrew Sullivan
- Re: [spfbis] The RRTYPE topic (was: WGLC: draft-i… Mark Andrews
- Re: [spfbis] The RRTYPE topic (was: WGLC: draft-i… Murray S. Kucherawy
- Re: [spfbis] The RRTYPE topic (was: WGLC: draft-i… Mark Andrews
- Re: [spfbis] The RRTYPE topic (was: WGLC: draft-i… Douglas Otis
- Re: [spfbis] The RRTYPE topic Stuart D Gathman
- Re: [spfbis] The RRTYPE topic Scott Kitterman
- Re: [spfbis] The RRTYPE topic Stuart Gathman
- Re: [spfbis] The RRTYPE topic Scott Kitterman