Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lookup Count Inconsistencies
Scott Kitterman <spf2@kitterman.com> Sun, 15 January 2023 23:02 UTC
Return-Path: <spf2@kitterman.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B21FEC14F74A for <spfbis@ietfa.amsl.com>; Sun, 15 Jan 2023 15:02:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="nxMLvzNq"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="Hib1Z37+"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ulYoFKpLmx1f for <spfbis@ietfa.amsl.com>; Sun, 15 Jan 2023 15:02:51 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2889C14CEFA for <spfbis@ietf.org>; Sun, 15 Jan 2023 15:02:51 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 4C7FBF801E0 for <spfbis@ietf.org>; Sun, 15 Jan 2023 18:02:41 -0500 (EST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1673823746; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=azIuajtlSWFOgJyElzspCPytK6TqQvbIYaBXManKEFI=; b=nxMLvzNqh3IdxdNWGp8oBYQwHPU/WM8YLFNLhpErd98ZwZvId5b8LPbhPyHahgp7LxLbJ L+cF9dGw/4cvtw+AQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1673823746; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=azIuajtlSWFOgJyElzspCPytK6TqQvbIYaBXManKEFI=; b=Hib1Z37+k05Y6JHtBmcZbHclstxXtPmmEOzA3uwyTx6jonpm4u71QrWLJHbfeyEGOX1pd naWTah9i9gFS/asEbpq6US4twvPOlqAxt6M2ZxOyuxIbY9TvoX5+EcAAWyAT98wN5ywB/he O87kufgQWbQ8JrcX80uN6zsT54Bccpu/JgMy9pjQe72X300hZ51tGCjgDixmC1RnGzrRRlk ZQ3CpAPTxuc8nsqnjR+upOy1/cIXFFNTbzoH70dnv3lKXWNFZqQ36yYQH3/YTd2Bkwxr2vf hPar0jQoEno+6ZS+qTyiBJrT2TdyuoX27CPpYzEeAbV5J1tKObDy4D57TbuQ==
Received: from localhost.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 2B34DF8016D for <spfbis@ietf.org>; Sun, 15 Jan 2023 18:02:26 -0500 (EST)
From: Scott Kitterman <spf2@kitterman.com>
To: spfbis@ietf.org
Date: Sun, 15 Jan 2023 18:02:21 -0500
Message-ID: <4155095.WaQZGZ3z5Y@localhost>
In-Reply-To: <Y8SCz4bC15iRa/tB@netmeister.org>
References: <79ac443e-b0ee-6598-cec0-9cf32c3dc1d1@tekmarc.com> <2052933.pCZHq2v93S@localhost> <Y8SCz4bC15iRa/tB@netmeister.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/AFvCBHV_QkaifWJpVaA6FCg_VT8>
Subject: Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lookup Count Inconsistencies
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2023 23:02:56 -0000
On Sunday, January 15, 2023 5:48:47 PM EST Jan Schaumann wrote: > Scott Kitterman <spf2@kitterman.com> wrote: > > Moving forward, here's the full text specific to MX from RFC 7208, Section > > > > 4.6.4: > > > When evaluating the "mx" mechanism, the number of "MX" resource > > > records queried is included in the overall limit of 10 mechanisms/ > > > modifiers that cause DNS lookups as described above. In addition to > > > that limit, the evaluation of each "MX" record MUST NOT result in > > > querying more than 10 address records -- either "A" or "AAAA" > > > resource records. If this limit is exceeded, the "mx" mechanism MUST > > > produce a "permerror" result. > > > > In the example you gave, only the +mx lookup counts against the overall > > limit. "MX" resource records are exactly that. The address records > > (A/AAAA) are counted separately as clearly indicated in the sentence > > after the one you quoted. > > > > I think you need to go back and revisit you assessment of how these work > > as I don't think it's correct. We struggled with this in the SPFbis > > working group as it was very difficult to come up with clear and accurate > > language, so I'm not surprised to see it's not immediately obvious what > > we meant. > > I'm afraid the intent is still ambiguous. > > Could you clarify by example: > > $ dig +short txt example.com > v=spfv1 +a +mx -all > $ dig +short mx example.com > 10 a.example.com > 20 b.example.com > $ > > Is it 2 (one for the 'a' lookup, and one for the > 'mx'), or is it 4 (one for the 'a' lookup, one for the > 'mx' lookup, and, because MX records return host names > and IP addresses, an additional lookup for each MX > record returned)? There are two distinct limits in play here. That's part of what makes it difficult to explain clearly and correctly. There is the "overall" limit. The count against the overall limit is two ('a' and 'mx'). There is a per 'mx' limit as well. In this example the 'mx' mechanism yields two address records (a.example.com and b.example.com), so the per 'mx' count in this example is also two. These do not count against the overall limit. Scott K
- [spfbis] RFC7208 4.6.4 Interpretation - MX Lookup… Mark Alley
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Mark Alley
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Mark Alley
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Scott Kitterman
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Mark Alley
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Jan Schaumann
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Jan Schaumann
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Scott Kitterman
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Jan Schaumann
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Scott Kitterman
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Tim Wicinski
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… John Levine
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Tim Wicinski
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Jan Schaumann
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… william
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… John R Levine
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Klaus Frank