IETF Logo Mail Archive

Re: [spfbis] #24: RFC 4408: Reasonable DNS error limits

"Murray S. Kucherawy" <msk@cloudmark.com> Tue, 06 March 2012 19:03 UTC

Return-Path: <msk@cloudmark.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F37621E80A4 for <spfbis@ietfa.amsl.com>; Tue, 6 Mar 2012 11:03:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.604
X-Spam-Level:
X-Spam-Status: No, score=-102.604 tagged_above=-999 required=5 tests=[AWL=-0.005, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nOerwX9ju+yL for <spfbis@ietfa.amsl.com>; Tue, 6 Mar 2012 11:03:33 -0800 (PST)
Received: from ht2-outbound.cloudmark.com (ht2-outbound.cloudmark.com [72.5.239.26]) by ietfa.amsl.com (Postfix) with ESMTP id 97EBD21E8096 for <spfbis@ietf.org>; Tue, 6 Mar 2012 11:03:33 -0800 (PST)
Received: from EXCH-MBX901.corp.cloudmark.com ([fe80::addf:849a:f71c:4a82]) by exch-htcas902.corp.cloudmark.com ([fe80::e82a:4f80:7f44:eaf7%12]) with mapi id 14.01.0355.002; Tue, 6 Mar 2012 11:03:33 -0800
From: "Murray S. Kucherawy" <msk@cloudmark.com>
To: "spfbis@ietf.org" <spfbis@ietf.org>
Thread-Topic: [spfbis] #24: RFC 4408: Reasonable DNS error limits
Thread-Index: AQHM+7yYx93ZDimmwkGuor51xQ56+JZdkr5wgACOjwD//35T0A==
Date: Tue, 06 Mar 2012 19:03:32 +0000
Message-ID: <9452079D1A51524AA5749AD23E00392807CDBA@exch-mbx901.corp.cloudmark.com>
References: <061.d98693d6d49da2032936529b51acdb1f@tools.ietf.org> <6.2.5.6.2.20120306091044.0b9a15b0@elandnews.com> <9452079D1A51524AA5749AD23E00392807CB20@exch-mbx901.corp.cloudmark.com> <1463655.1U633HA6jI@scott-latitude-e6320>
In-Reply-To: <1463655.1U633HA6jI@scott-latitude-e6320>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.20.2.121]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [spfbis] #24: RFC 4408: Reasonable DNS error limits
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2012 19:03:34 -0000

> -----Original Message-----
> From: spfbis-bounces@ietf.org [mailto:spfbis-bounces@ietf.org] On
> Behalf Of Scott Kitterman
> Sent: Tuesday, March 06, 2012 10:46 AM
> To: spfbis@ietf.org
> Subject: Re: [spfbis] #24: RFC 4408: Reasonable DNS error limits
> 
> On Tuesday, March 06, 2012 06:18:30 PM Murray S. Kucherawy wrote:
> > I need some clarification on this issue before I can give an opinion.
> > Someone help me out here...
> >
> > Is the issue that I could publish an SPF policy that causes queries to
> > someone else's DNS as a means of an attack, and the proposed
> > mitigation is to abort the query if too many NOERROR replies with zero
> > answers (which I think is what people mean by "No Data") are received?
> 
> I believe that's correct.

I think the mitigation is weak, then.  It thwarts the attack scenario in which I point my SPF record at some stuff in your domain that doesn't actually exist, but if I use "mx" or other mechanisms that do hit things that exist, the attack isn't stopped.

So I'm fine with the idea of specifying NODATA cutoff limits, but it doesn't cover the full threat space here, and we'll have to admit that in Security Considerations or suchlike.

-MSK

v2.46.0 | Report a Bug | By Email | System Status