Re: [spfbis] Question about SPF checks based on RFC 7208

S Moonesamy <sm+ietf@elandsys.com> Mon, 02 May 2016 16:48 UTC

Return-Path: <sm@elandsys.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8978312D59D for <spfbis@ietfa.amsl.com>; Mon, 2 May 2016 09:48:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.786
X-Spam-Level:
X-Spam-Status: No, score=-2.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.996, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=opendkim.org header.b=Hvpfbrn8; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=elandsys.com header.b=HJ4EZ76L
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vLPNvCjHHh7G for <spfbis@ietfa.amsl.com>; Mon, 2 May 2016 09:48:54 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B2D012B024 for <spfbis@ietf.org>; Mon, 2 May 2016 09:48:54 -0700 (PDT)
Received: from SUBMAN.elandsys.com ([197.226.49.11]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id u42GmbMR016720 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 2 May 2016 09:48:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1462207732; x=1462294132; bh=DfXMW+RaayVeJnA5mKsRYcBmqkXN7MwcHGGh7itxPMk=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=Hvpfbrn8EfC8HRkkVEftSNIDvAn4YGe0SMyxUK+H/NCzBG6o5dh6LF6XrudCK+Fba KMmZlcHYHRh6zyjEudqmqm8SwG2u2IV3TqLiOGy+E/QlmY0qmrr3ck+/mXKeuF7ZhF HxDyJDZAAp0hjZOE7ShZN0qd3TqJFmMqvfSQAEQs=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1462207732; x=1462294132; i=@elandsys.com; bh=DfXMW+RaayVeJnA5mKsRYcBmqkXN7MwcHGGh7itxPMk=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=HJ4EZ76LPA7ldBMLwBDwt3pWnexAti6s2862Tm+2ZQc7CMaoONqzreiGaZcmzFjF8 iOg7f0vHWS0Yby4mU8pC5TRAN4gXaAze69+x5uMeOlXYAi/EW5Ur1JdK/Gq7482R5u IQEThEz5gV82riABCkwLfoEpm0pbfQzd5ONXMrAg=
Message-Id: <6.2.5.6.2.20160502093100.0878c9f0@elandnews.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Mon, 02 May 2016 09:48:00 -0700
To: Kurt Andersen <kurta@drkurt.com>, spfbis@ietf.org
From: S Moonesamy <sm+ietf@elandsys.com>
In-Reply-To: <CABuGu1qf8tdzvwy+fhaTqKNyKQ1L0San8f54Cu-XbZXDLwn8fw@mail.g mail.com>
References: <002101d1a342$c93e3000$5bba9000$@iname.com> <6.2.5.6.2.20160502003646.101fc9c8@resistor.net> <CABuGu1qf8tdzvwy+fhaTqKNyKQ1L0San8f54Cu-XbZXDLwn8fw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Archived-At: <http://mailarchive.ietf.org/arch/msg/spfbis/YutEIHGJvMO0Ki6Tdf_X-TFJAB4>
Cc: Frank Bulk <frnkblk@iname.com>
Subject: Re: [spfbis] Question about SPF checks based on RFC 7208
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2016 16:48:55 -0000

Hi Kurt,
At 08:56 02-05-2016, Kurt Andersen wrote:
>My suggestion is to clarify exactly what constitutes a "void DNS 
>lookup" in the case of an MX mechanism. I suggest that we define a 
>void MX lookup to be one that either returns no records or returns 
>the "null MX record" (RFC7505). Could this be done as an erratum item?

Please see https://www.rfc-editor.org/errata.php for information 
about how to report an erratum and how the erratum will be 
processed.  The above might be too much for an erratum.

>I think we also need to highlight the importance of putting "lookup 
>dependent mechanisms", and especially 2nd degree dependent 
>mechanisms (such as mx) after any explicit IP specifications to 
>publishers of SPF records. The "traditional"/historical suggestion 
>that has been provided by many record creation "wizards" is flawed 
>by putting "a mx" at the beginning of their recommendations.

There is the following in Section 4.6.4:

   "SPF implementations SHOULD limit "void lookups" to two.  An
    implementation MAY choose to make such a limit configurable.
    In this case, a default of two is RECOMMENDED.  Exceeding
    the limit produces a "permerror" result."

The following is from Section 11.1:

   'Operational experience since the publication of [RFC4408]
    suggests that mitigation of this class of attack can be
    accomplished with minimal impact on the deployed base by
    having the verifier abort processing and return "permerror"
    (Section 2.6.7) as soon as more than two "void lookups" have
    been encountered (defined in Section 4.6.4).'

In my personal opinion any text change would not be a 
clarification.   Which section of RFC 7208 would you like to change? :-)

Regards,
S. Moonesamy