IETF Logo Mail Archive

Re: [spfbis] Local macros strike again, was Suggestion...

Douglas Otis <dotis@mail-abuse.org> Fri, 13 January 2012 23:31 UTC

Return-Path: <dotis@mail-abuse.org>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5882621F84FF for <spfbis@ietfa.amsl.com>; Fri, 13 Jan 2012 15:31:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.135
X-Spam-Level:
X-Spam-Status: No, score=-102.135 tagged_above=-999 required=5 tests=[AWL=0.464, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id betyLDmC1uSy for <spfbis@ietfa.amsl.com>; Fri, 13 Jan 2012 15:31:58 -0800 (PST)
Received: from mailserv.mail-abuse.org (mailserv.mail-abuse.org [150.70.98.118]) by ietfa.amsl.com (Postfix) with ESMTP id 7405E21F84FE for <spfbis@ietf.org>; Fri, 13 Jan 2012 15:31:58 -0800 (PST)
Received: from US-DOUGO-MAC.local (sjdcluxgateway1.sdi.trendnet.org [10.31.37.8]) by mailserv.mail-abuse.org (Postfix) with ESMTPSA id 9EFCA1740094 for <spfbis@ietf.org>; Fri, 13 Jan 2012 23:31:57 +0000 (UTC)
Message-ID: <4F10BEED.7050207@mail-abuse.org>
Date: Fri, 13 Jan 2012 15:31:57 -0800
From: Douglas Otis <dotis@mail-abuse.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: spfbis@ietf.org
References: <F5833273385BB34F99288B3648C4F06F19C6C15673@EXCH-C2.corp.cloudmark.com> <4EF8F336.8080508@gathman.org> <F5833273385BB34F99288B3648C4F06F19C6C1569C@EXCH-C2.corp.cloudmark.com> <1590867.1quv5UxKKV@scott-latitude-e6320> <4EFCB88A.1080104@mail-abuse.org> <4EFE6F39.90000@isdg.net> <4F0358CC.6030505@mail-abuse.org> <4F03775B.4050905@isdg.net> <4F04E292.9030502@mail-abuse.org> <4F04FB1C.7070302@isdg.net> <4F060E74.2070103@cisco.com> <4F063F09.3030900@isdg.net> <4F06884D.2070509@mail-abuse.org> <4F082861.5080803@tana.it> <4F09269C.6090402@isdg.net> <4F0B0035.3050106@cisco.com> <4F0C9777.1090904@mail-abuse.org> <4F0C9E61.1010306@cisco.com> <4F0DD063.5090103@tana.it> <4F0E0A7E.1040905@isdg.net> <Pine.GSO.4.62.1201111726390.13909@spaz.oit.wmich.edu>
In-Reply-To: <Pine.GSO.4.62.1201111726390.13909@spaz.oit.wmich.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [spfbis] Local macros strike again, was Suggestion...
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2012 23:31:59 -0000

On 1/11/12 2:39 PM, Derek Diget wrote:
>
>  On Jan 11, 2012 at 17:17 -0500, Hector Santos wrote: =>Section 10.1
>  Processing Limits, covers the security idea of limits. But it =>only
>  mentions one hard limit of 10 for MX and PTR. It recommends a
>  unspecified =>minimum for others like INCLUDE which is more of a
>  concern because of its =>recursive nature. We have a limit of 20
>  here. Probably more than enough to =>allow a domain to general an
>  include recursion level of 20! Each of these =>directive whether with
>  macros or not, needs to have limits. => =>So in my view, it will
>  probably be a good idea to avoid the "guessing game" =>and begin to
>  add semantics about specific recommended limits. => =>Doug is
>  suggesting of changing the 10 for MX/PTR to maybe 5. Where did 10
>  =>come from to begin with? I presume is what was some SMTP client
>  were already =>doing when sending out mail - they have a MX expansion
>  limit of 10. Maybe the =>10 come from the author's experience with
>  this.
Dear Hector,

This was simply explaining the impact caused by a change Wayne Schlitt 
made to host name limits in his SPF library.  He restricted the number 
of host names resolved to 5.  This caused a problem for t-online.de who 
never published SPF records but were subjected to "default" SPF records 
such as "a mx/24" and that had 8 hosts in their MX RRset, for example. :^(

The original concept was to permit any amount that could fit within any 
number of SPF records where only recursion was limited to 20.  Several 
expressed concern about the amount of traffic a recursion approach might 
cause.  Testing back in 2006 came across several libraries still using 
recursion as a limit, and some limiting hosts to the number returned 
within a single DNS transaction for a requested RRset, and the 5 host 
name limit used by Wayne instead of the 10 indicated in the draft.

>  I have been reading this thread and wanting to chime in...
>
>  I have always read the first sentence of the 3rd paragraph of RFC
>  4408 section 10.1 (starts with "SPF implementations MUST limit") to
>  mean that an SPF record that requires more that 10 DNS lookups to be
>  a PermError and the SPF library should not do a 11th lookup.
>  Period/end-stop.

Dear Derek,

The mechanism and modification limit is expressed in section 10.1
,--
SPF implementations MUST limit the number of _mechanisms_ and 
_modifiers_ that do DNS lookups to at most 10 per SPF check, including 
any lookups caused by the use of the "include" mechanism or the 
"redirect" modifier.
'-
Please note the term "mechanism" and not DNS transaction or imprecise 
lookup that might imply the existence of an intervening agent.  
"include" is a mechanism and "redirect" is a modifier that is counted as 
a mechanism.

The lookup limit expressed in section 5.4 "mx"
,--
This mechanism matches if <ip> is one of the MX hosts for a domain 
name.  MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ] check_host() 
first performs an MX lookup on the <target-name>. Then it performs an 
address lookup on _each_ MX name returned. The <ip> is compared to each 
returned IP address. To prevent Denial of Service (DoS) attacks, more 
than 10 MX names MUST NOT be looked up during the evaluation of an "mx" 
mechanism (see Section 10 
<http://tools.ietf.org/html/rfc4408#section-10>). If any address 
matches, the mechanism matches.
'--

Each "mx" mechanisms can separately invoke address resolution 
transactions over a maximum of 10 host names.  As the dos draft 
demonstrated, a compliant library processed 10 mechanisms  where each 
mechanism in turn induced 10 subsequent DNS transactions to resolve each 
host's IP address set.  Tallying these DNS transactions is 10 times ( 1 
mx rrset + 10 host/a) or 10 times 11 for 110.  Of course, one must 
include the first transaction for the initial SPF record.   This bring 
the total DNS transactions used to resolve a single email address to 
111.  This is no where near 10 many keep suggesting.

>  The MX limit that is mentioned in later paragraphs is still
>  constrained by the first sentence's (10 lookup) limit. I would
>  almost say that the 4th paragraph ('When evaluating the "mx"') is
>  redundant to the 3rd paragraph except for the mention of the %{p}
>  macro.
>
>
>  (I can't speak for code writers of the MTA we use, but I think that
>  is the behavior I have seen. 11 DNS lookup causes a PermError to be
>  returned by check_host() ).

Perhaps you were confused by the term mechanism.  A mechanism such as 
"mx" or "ptr" performs DNS transactions to obtain RRsets and then up to 
10 subsequent transactions for each element of the RRset.  In other 
words, 110 DNS transactions.  This is made more dangerous when 
transactions are based upon hosts defined by email-address local-parts.  
As such, it would be wrong to suggest SPF results are for the entire 
domain or that they can be cached.  The local-part concept runs afoul of 
Repute definitions or efforts to combine the different domain results.

Regards,
Doug Otis

v2.23.0 | Report a Bug | By Email