Re: [spfbis] [Technical Errata Reported] RFC7208 (5550)

Scott Kitterman <scott@kitterman.com> Mon, 12 November 2018 19:10 UTC

Return-Path: <scott@kitterman.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4A5F130E02 for <spfbis@ietfa.amsl.com>; Mon, 12 Nov 2018 11:10:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=fzfZE13H; dkim=pass (2048-bit key) header.d=kitterman.com header.b=Q/OTjK+q
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id poq5EPp39xSM for <spfbis@ietfa.amsl.com>; Mon, 12 Nov 2018 11:10:12 -0800 (PST)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E85EE1274D0 for <spfbis@ietf.org>; Mon, 12 Nov 2018 11:10:11 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201803e; t=1542049810; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from : subject : date; bh=jp9fuNIx2FxrkX2omJJKpnmREMpuDSU7GEat5R9vig4=; b=fzfZE13HUYKFWUMOLUe5EC0Igh5LihWXYkRXJogNI4GN2Fd8Ey92M1s8 7igYodw4qelJPIWmgpvsEvrByisKDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201803r; t=1542049810; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from : subject : date; bh=jp9fuNIx2FxrkX2omJJKpnmREMpuDSU7GEat5R9vig4=; b=Q/OTjK+qF2vlscdzrrp02FmGbQp+SQNwLYr2xfauzzCOF6cwchENH3S/ PhChEIFxiMyTwIR7ToMUamufBydXVt+Pejb6Rtr0Mp4FxQhbRCsjwVEsDN ZeeX7UjC2SRDnUK8Qf6nWnPXMQlSuuA7njs5xzW5fhYcP79lxyczDAtTJU XGXWxIKTOfUmsh854Z8uOfLQA3loprJ5f8tZGh2wNvKat6agcAL+ZapNJ6 KdDgtjqHYC3qgkGi7aPLfIvq7+ckmxoEYwZBlUe/Ls48hNVjqP+pvvyaRf BUV6EHf+0b3FvTG8Gi+2LvoJ6zCnwXbVOWdhTU5lP0+LP8IR8gKPkQ==
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id A19C7C401C4; Mon, 12 Nov 2018 13:10:10 -0600 (CST)
From: Scott Kitterman <scott@kitterman.com>
To: spfbis@ietf.org
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, ben@nostrum.com, adam@nostrum.com, aamelnikov@fastmail.fm, sm+ietf@elandsys.com, ajs@anvilwalrusden.com, dear.friend@2die4.com
Date: Mon, 12 Nov 2018 14:10:08 -0500
Message-ID: <10227312.lQhgs7rMoL@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-158-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <2394369.44pl4s8oyQ@kitterma-e6430>
References: <20181109165920.AF8B2B810A6@rfc-editor.org> <2394369.44pl4s8oyQ@kitterma-e6430>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/LKleDB5d9x0etUzKXnPuxs1fGNQ>
Subject: Re: [spfbis] [Technical Errata Reported] RFC7208 (5550)
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2018 19:10:14 -0000

After further off-line discussion with the reporter, my recommendation to 
reject this errata is confirmed in my mind.  I think that most of his issue is 
with how various SPF results are used by receivers, which is out of scope of 
RFC 7208.  It does not specify receiver policy.

Scott K

On Friday, November 09, 2018 02:17:41 PM Scott Kitterman wrote:
> My recommendation is that the errata be rejected.
> 
> Rationale:
> 
> The submitter doesn't follow through what the next steps in the process
> would be and makes incorrect assumptions.
> 
> As described in the errata,
> 
> HELO/EHLO names that are HELO <IP Address> or <malformed> will have a HELO
> check result of none.  In the case of HELO <hostname>, the claim that if
> <hostname> does not have an A record, the HELO check result will be fail is
> incorrect.
> 
> If the HELO is a valid hostname, then the first step would be do a DNS TXT
> lookup to determine if there is a valid SPF record.  If there is no record,
> then the result is none, just like HELO <IP Address> or <malformed>.
> 
> If there is an SPF record for the HELO name and the record uses an a:/aaaa:
> mechanism for which no A/AAAA record exists, then the result will be
> whatever is specified based on the qualifier for the 'all' mechanism at the
> end of the record.  This may or may not be fail.
> 
> In the latter case, the unanticipated result is a function of an incorrect
> operational configuration, not an issue with the protocol.  It is true that
> publishing an incorrect SPF record can have negative consequences, but
> that's true for all SPF records and nothing related to this text.
> 
> Scott K
> 
> On Friday, November 09, 2018 08:59:20 AM RFC Errata System wrote:
> > The following errata report has been submitted for RFC7208,
> > "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email,
> > Version 1".
> > 
> > --------------------------------------
> > You may review the report below and at:
> > http://www.rfc-editor.org/errata/eid5550
> > 
> > --------------------------------------
> > Type: Technical
> > Reported by: Borislav Petrov <dear.friend@2die4.com>;
> > 
> > Section: 2.3.
> > 
> > Original Text
> > -------------
> > 
> >    Note that requirements for the domain presented in the EHLO or HELO
> >    command are not always clear to the sending party, and SPF verifiers
> >    have to be prepared for the identity to be an IP address literal (see
> >    [RFC5321], Section 4.1.3) or simply be malformed.  This SPF check can
> >    only be performed when the "HELO" string is a valid, multi-label
> >    domain name.
> > 
> > Corrected Text
> > --------------
> > 
> > 
> > Notes
> > -----
> > It looks like that those who have HELO <IP Address> or <malformed> will
> > have result "none" (and pass) but those that have HELO <hostname> and
> > have not yet published their hostname (A record) as allowed sender will
> > get fail. This becomes a very common case for all messages which are
> > DSNs. The whole idea that it is better to have your HELO malformed than a
> > valid hostname which identifies the system is wrong. The point is to
> > fight spam but you actually make it easier for spammers to just have the
> > EHLO malformed and send with <> reverse-path rather than having some
> > proper EHLO/HELO which is subject to other verifications like rDNS, etc.
> > 
> > Instructions:
> > -------------
> > This erratum is currently posted as "Reported". If necessary, please
> > use "Reply All" to discuss whether it should be verified or
> > rejected. When a decision is reached, the verifying party
> > can log in to change the status and edit the report, if necessary.
> > 
> > --------------------------------------
> > RFC7208 (draft-ietf-spfbis-4408bis-21)
> > --------------------------------------
> > Title               : Sender Policy Framework (SPF) for Authorizing Use of
> > Domains in Email, Version 1 Publication Date    : April 2014
> > Author(s)           : S. Kitterman
> > Category            : PROPOSED STANDARD
> > Source              : SPF Update
> > Area                : Applications
> > Stream              : IETF
> > Verifying Party     : IESG
> 
> _______________________________________________
> spfbis mailing list
> spfbis@ietf.org
> https://www.ietf.org/mailman/listinfo/spfbis