Re: [spfbis] Section 3 of draft-ietf-spfbis-4408bis-06

"Murray S. Kucherawy" <superuser@gmail.com> Sat, 01 September 2012 01:20 UTC

MIME-Version: 1.0
In-Reply-To: <6.2.5.6.2.20120831171639.098d0d60@elandnews.com>
References: <6.2.5.6.2.20120831171639.098d0d60@elandnews.com>
Date: Fri, 31 Aug 2012 18:20:01 -0700
Message-ID: <CAL0qLwaHmu5BoGf5dwDfiT9D_1EoOaT7Y9wTQokGeWg8VtGQxQ@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
To: S Moonesamy <sm+ietf@elandsys.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: spfbis@ietf.org
Subject: Re: [spfbis] Section 3 of draft-ietf-spfbis-4408bis-06
Precedence: list

On Fri, Aug 31, 2012 at 6:03 PM, S Moonesamy <sm+ietf@elandsys.com> wrote:
>   "Loosely, the record partitions all hosts into permitted and
>    not-permitted sets (though some hosts might fall into
>    neither category)."
>
> I suggest remove that to "tighten" the specification.

How is that an improvement?

>   'The SPF record is a single string of text.  An example record is the
>    following:
>
>       v=spf1 +mx a:colo.example.com/28 -all'
>
> There isn't any information about the record "format" in that subsection.

A forward reference to the formal specification would be adequate.

>   "Each SPF record is placed in the DNS tree at the host name it
>    pertains to, not a subdomain under it, such as is done with SRV
>    records [RFC2782]."
>
> This is tutorial material.

I disagree.  It's implementation.

>   'The example in Section 3 might be published via these lines in a
>    domain zone file:
>
>       example.com.          TXT "v=spf1 +mx a:colo.example.com/28 -all"
>       smtp-out.example.com. TXT "v=spf1 a -all"'
>
> As the "format" as not been defined the above comes out as tutorial
> material.

Two things:

1) The forward reference I suggested above solves it.

2) "The example in Section 3" inside Section 3 is weird.  How about
"The example above?"

>   "They might cause problems with size limits (see Section 3.4)
>    and care MUST be taken to ensure only SPF records are used
>    for SPF processing."
>
> There is a new RFC 2119 requirement compared to RFC 4408.

The issue is use of "must" vs. "MUST".  I believe this is appropriate
clarification (this, or replace MUST with some non-2119 word).

>   'ADMDs publishing SPF records SHOULD try to keep the number of
>    "include" mechanisms and chained "redirect" modifiers to a minimum.
>    ADMDs SHOULD also try to minimize the amount of other DNS information
>    needed to evaluate a record.'
>
> Two new RFC 2119 recommendations have been added.

Same argument.

> In Section 3.1:
>
>   "SPF records MUST be published as type TXT [RFC1035]"
>
> There is a previous definition for SPF records which already mentions that
> it is a DNS TXT (type 16) Resource Record (RR).  It is not clear what the
> MUST is for.

Same argument.  Could change "MUST be" to "are" though.

>   'Use of alternate DNS RR types was supported in SPF's experimental
>    phase, but has been discontinued.'
>
> I suggest mentioning the SPF RR is considered as deprecated.

Agree, and refer to the experiment document for more detail.

> In Section 3.4:
>
>   'Note that when computing the sizes for queries of the TXT format,
>    one MUST take into account any other TXT records published at
>    the domain name.'
>
> This is a new RFC 2119 requirement.

Same issue, I believe.  I'll skip further things along those lines.

> There seems to be an assumption that DNS is secure.  I suggest adding text
> about DNS Security in the Security Considerations section.

I'd suggest we get guidance from Andrew or our AD about that.  Seems
like we might need to do that for everything that uses the DNS in any
way, which could get tedious, unless we can rely on the fact that
RFC1034/5 are already marked as updated by the DNSSEC drafts.

-MSK

[spfbis] Section 3 of draft-ietf-spfbis-4408bis-06 S Moonesamy
Re: [spfbis] Section 3 of draft-ietf-spfbis-4408b… Murray S. Kucherawy
Re: [spfbis] Section 3 of draft-ietf-spfbis-4408b… S Moonesamy
Re: [spfbis] Section 3 of draft-ietf-spfbis-4408b… Scott Kitterman