Re: [spfbis] Local macros strike again, was Suggestion...
Douglas Otis <dotis@mail-abuse.org> Fri, 13 January 2012 23:31 UTC
Return-Path: <dotis@mail-abuse.org>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5882621F84FF for <spfbis@ietfa.amsl.com>; Fri, 13 Jan 2012 15:31:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.135
X-Spam-Level:
X-Spam-Status: No, score=-102.135 tagged_above=-999 required=5 tests=[AWL=0.464, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id betyLDmC1uSy for <spfbis@ietfa.amsl.com>; Fri, 13 Jan 2012 15:31:58 -0800 (PST)
Received: from mailserv.mail-abuse.org (mailserv.mail-abuse.org [150.70.98.118]) by ietfa.amsl.com (Postfix) with ESMTP id 7405E21F84FE for <spfbis@ietf.org>; Fri, 13 Jan 2012 15:31:58 -0800 (PST)
Received: from US-DOUGO-MAC.local (sjdcluxgateway1.sdi.trendnet.org [10.31.37.8]) by mailserv.mail-abuse.org (Postfix) with ESMTPSA id 9EFCA1740094 for <spfbis@ietf.org>; Fri, 13 Jan 2012 23:31:57 +0000 (UTC)
Message-ID: <4F10BEED.7050207@mail-abuse.org>
Date: Fri, 13 Jan 2012 15:31:57 -0800
From: Douglas Otis <dotis@mail-abuse.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: spfbis@ietf.org
References: <F5833273385BB34F99288B3648C4F06F19C6C15673@EXCH-C2.corp.cloudmark.com> <4EF8F336.8080508@gathman.org> <F5833273385BB34F99288B3648C4F06F19C6C1569C@EXCH-C2.corp.cloudmark.com> <1590867.1quv5UxKKV@scott-latitude-e6320> <4EFCB88A.1080104@mail-abuse.org> <4EFE6F39.90000@isdg.net> <4F0358CC.6030505@mail-abuse.org> <4F03775B.4050905@isdg.net> <4F04E292.9030502@mail-abuse.org> <4F04FB1C.7070302@isdg.net> <4F060E74.2070103@cisco.com> <4F063F09.3030900@isdg.net> <4F06884D.2070509@mail-abuse.org> <4F082861.5080803@tana.it> <4F09269C.6090402@isdg.net> <4F0B0035.3050106@cisco.com> <4F0C9777.1090904@mail-abuse.org> <4F0C9E61.1010306@cisco.com> <4F0DD063.5090103@tana.it> <4F0E0A7E.1040905@isdg.net> <Pine.GSO.4.62.1201111726390.13909@spaz.oit.wmich.edu>
In-Reply-To: <Pine.GSO.4.62.1201111726390.13909@spaz.oit.wmich.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [spfbis] Local macros strike again, was Suggestion...
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2012 23:31:59 -0000
On 1/11/12 2:39 PM, Derek Diget wrote: > > On Jan 11, 2012 at 17:17 -0500, Hector Santos wrote: =>Section 10.1 > Processing Limits, covers the security idea of limits. But it =>only > mentions one hard limit of 10 for MX and PTR. It recommends a > unspecified =>minimum for others like INCLUDE which is more of a > concern because of its =>recursive nature. We have a limit of 20 > here. Probably more than enough to =>allow a domain to general an > include recursion level of 20! Each of these =>directive whether with > macros or not, needs to have limits. => =>So in my view, it will > probably be a good idea to avoid the "guessing game" =>and begin to > add semantics about specific recommended limits. => =>Doug is > suggesting of changing the 10 for MX/PTR to maybe 5. Where did 10 > =>come from to begin with? I presume is what was some SMTP client > were already =>doing when sending out mail - they have a MX expansion > limit of 10. Maybe the =>10 come from the author's experience with > this. Dear Hector, This was simply explaining the impact caused by a change Wayne Schlitt made to host name limits in his SPF library. He restricted the number of host names resolved to 5. This caused a problem for t-online.de who never published SPF records but were subjected to "default" SPF records such as "a mx/24" and that had 8 hosts in their MX RRset, for example. :^( The original concept was to permit any amount that could fit within any number of SPF records where only recursion was limited to 20. Several expressed concern about the amount of traffic a recursion approach might cause. Testing back in 2006 came across several libraries still using recursion as a limit, and some limiting hosts to the number returned within a single DNS transaction for a requested RRset, and the 5 host name limit used by Wayne instead of the 10 indicated in the draft. > I have been reading this thread and wanting to chime in... > > I have always read the first sentence of the 3rd paragraph of RFC > 4408 section 10.1 (starts with "SPF implementations MUST limit") to > mean that an SPF record that requires more that 10 DNS lookups to be > a PermError and the SPF library should not do a 11th lookup. > Period/end-stop. Dear Derek, The mechanism and modification limit is expressed in section 10.1 ,-- SPF implementations MUST limit the number of _mechanisms_ and _modifiers_ that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. '- Please note the term "mechanism" and not DNS transaction or imprecise lookup that might imply the existence of an intervening agent. "include" is a mechanism and "redirect" is a modifier that is counted as a mechanism. The lookup limit expressed in section 5.4 "mx" ,-- This mechanism matches if <ip> is one of the MX hosts for a domain name. MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ] check_host() first performs an MX lookup on the <target-name>. Then it performs an address lookup on _each_ MX name returned. The <ip> is compared to each returned IP address. To prevent Denial of Service (DoS) attacks, more than 10 MX names MUST NOT be looked up during the evaluation of an "mx" mechanism (see Section 10 <http://tools.ietf.org/html/rfc4408#section-10>). If any address matches, the mechanism matches. '-- Each "mx" mechanisms can separately invoke address resolution transactions over a maximum of 10 host names. As the dos draft demonstrated, a compliant library processed 10 mechanisms where each mechanism in turn induced 10 subsequent DNS transactions to resolve each host's IP address set. Tallying these DNS transactions is 10 times ( 1 mx rrset + 10 host/a) or 10 times 11 for 110. Of course, one must include the first transaction for the initial SPF record. This bring the total DNS transactions used to resolve a single email address to 111. This is no where near 10 many keep suggesting. > The MX limit that is mentioned in later paragraphs is still > constrained by the first sentence's (10 lookup) limit. I would > almost say that the 4th paragraph ('When evaluating the "mx"') is > redundant to the 3rd paragraph except for the mention of the %{p} > macro. > > > (I can't speak for code writers of the MTA we use, but I think that > is the behavior I have seen. 11 DNS lookup causes a PermError to be > returned by check_host() ). Perhaps you were confused by the term mechanism. A mechanism such as "mx" or "ptr" performs DNS transactions to obtain RRsets and then up to 10 subsequent transactions for each element of the RRset. In other words, 110 DNS transactions. This is made more dangerous when transactions are based upon hosts defined by email-address local-parts. As such, it would be wrong to suggest SPF results are for the entire domain or that they can be cached. The local-part concept runs afoul of Repute definitions or efforts to combine the different domain results. Regards, Doug Otis
- [spfbis] Suggestion for an additional deliverable Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Dave CROCKER
- Re: [spfbis] Suggestion for an additional deliver… SM
- Re: [spfbis] Suggestion for an additional deliver… Scott Kitterman
- Re: [spfbis] Suggestion for an additional deliver… Commerco WebMaster
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Dotzero
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Alessandro Vesely
- Re: [spfbis] Suggestion for an additional deliver… Scott Kitterman
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Scott Kitterman
- Re: [spfbis] Suggestion for an additional deliver… Dave CROCKER
- [spfbis] Augmenting SPF with additional Email tec… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Alessandro Vesely
- Re: [spfbis] Suggestion for an additional deliver… Stuart Gathman
- Re: [spfbis] Suggestion for an additional deliver… Alessandro Vesely
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Scott Kitterman
- [spfbis] A-R vs SPF-R, was Suggestion for an addi… Alessandro Vesely
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Scott Kitterman
- Re: [spfbis] Suggestion for an additional deliver… Philip Gladstone
- Re: [spfbis] Suggestion for an additional deliver… Stuart D Gathman
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- [spfbis] HardFail Marking vs HardFail Rejects Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Alessandro Vesely
- [spfbis] Local macros strike again, was Suggestio… Alessandro Vesely
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Philip Gladstone
- Re: [spfbis] Local macros strike again, was Sugge… Douglas Otis
- Re: [spfbis] Local macros strike again, was Sugge… Scott Kitterman
- Re: [spfbis] Local macros strike again, was Sugge… Philip Gladstone
- Re: [spfbis] Local macros strike again, was Sugge… Alessandro Vesely
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Derek Diget
- Re: [spfbis] Local macros strike again, was Sugge… Murray S. Kucherawy
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Scott Kitterman
- Re: [spfbis] Section 10.1 Processing Limits Derek Diget
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Scott Kitterman
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Scott Kitterman
- Re: [spfbis] Section 10.1 Processing Limits Murray S. Kucherawy
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Scott Kitterman
- [spfbis] SPF metrics, was Limits Alessandro Vesely
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Douglas Otis
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Douglas Otis
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Philip Gladstone
- Re: [spfbis] Local macros strike again, was Sugge… Scott Kitterman
- Re: [spfbis] Local macros strike again, was Sugge… Murray S. Kucherawy
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Philip Gladstone
- Re: [spfbis] Local macros strike again, was Sugge… Commerco WebMaster