IETF Logo Mail Archive

Re: [spfbis] #24: RFC 4408: Reasonable DNS error limits

Alessandro Vesely <vesely@tana.it> Wed, 23 January 2013 08:52 UTC

Return-Path: <vesely@tana.it>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7381F21F871F for <spfbis@ietfa.amsl.com>; Wed, 23 Jan 2013 00:52:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.119
X-Spam-Level:
X-Spam-Status: No, score=-4.119 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, J_CHICKENPOX_21=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEBlckbJw+TI for <spfbis@ietfa.amsl.com>; Wed, 23 Jan 2013 00:52:10 -0800 (PST)
Received: from wmail.tana.it (mail.tana.it [62.94.243.226]) by ietfa.amsl.com (Postfix) with ESMTP id 9570721F86FB for <spfbis@ietf.org>; Wed, 23 Jan 2013 00:52:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=beta; t=1358931127; bh=3YuJshUaRChHXPCihsCNm8ohLp9pQRJi4WIwMrF54xc=; l=2157; h=Date:From:To:References:In-Reply-To; b=ZVt/RzEn2rtVyuQrorYybyrk7HhT0XaZvV3lC7dVJZK8SvM9ctEcosFbJTK4LM4Zd Xq35mH7/BQTMVc3drb5e3I7oNZLh/K/b2ZbcouN5OOhwunE+fuiFzyxbAnTws2Yf84 Pf6X01fNePVLzb6d3WJjEim5fvRLgC5cjnevGnFQ=
Received: from [172.25.197.158] (pcale.tana [172.25.197.158]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wmail.tana.it with ESMTPSA; Wed, 23 Jan 2013 09:52:07 +0100 id 00000000005DC039.0000000050FFA4B7.00000213
Message-ID: <50FFA4B7.5040104@tana.it>
Date: Wed, 23 Jan 2013 09:52:07 +0100
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: spfbis@ietf.org
References: <061.d98693d6d49da2032936529b51acdb1f@tools.ietf.org> <3896517.k8tBVMT4Fi@scott-latitude-e6320> <20130123010120.GC7073@crankycanuck.ca> <271785100.KEZggNLeh1@scott-latitude-e6320>
In-Reply-To: <271785100.KEZggNLeh1@scott-latitude-e6320>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: [spfbis] #24: RFC 4408: Reasonable DNS error limits
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2013 08:52:11 -0000

On Wed 23/Jan/2013 04:22:35 +0100 Scott Kitterman wrote:
> 
> The total discussion on record length would be:
> 
>    The published SPF record for a given domain name SHOULD remain

What does /SPF record/ mean there?  Is that a TXT record beginning
with "v=spf1" or any DNS record queried during an SPF evaluation?

How about:

     For efficiency and security reasons, the DNS records that a
     domain publishes for SPF  --that is, the policy record itself as
     well as any record it references even indirectly-- are subject
     to size restrictions.
?

>    small enough that the results of a query for it will fit within
>    512 octets.  This UDP limit is defined in <xref target="RFC1035"/>

It may make sense to relax that to 4096 or whatever number we deem to
be safe nowadays, accepting Andrew's offer to dig up a suitable ref.
(Doing so would enable publishers to replace IP4s with longer IP6s
without increasing the total number of queries, for example.)

>    section 2.3.4.  This will keep even older DNS implementations from
>    falling over to TCP.  Since the answer size is dependent on many
>    things outside the scope of this document, it is only possible to
>    give this guideline: If the combined length of the DNS name and
>    the text of all the records of a given type is under 450 characters,
>    then DNS answers ought to fit in UDP packets.  Note that when
>    computing the sizes for queries of the TXT format, one has to take
>    into account any other TXT records published at the domain name.

I'd rephrase the latter sentence as:

     For TXT records in particular, especially the first one, one has
     to take into account the size of any other TXT records published
     at the same domain name.

>    Records that are too long to fit in a single UDP packet could be
>    silently ignored by SPF verifiers due to firewall and other issues
>    that cause DNS over TCP to be less reliable than DNS over UDP.

Although that is  a /could be/, not a MAY, would we consider an
implementation to be conforming if it aborts SPF evaluation when it
finds unreasonably long records?  That's why I mentioned security in
the proposed rewording above.

v2.46.0 | Report a Bug | By Email | System Status