Re: [spfbis] Question about SPF checks based on RFC 7208
S Moonesamy <sm+ietf@elandsys.com> Mon, 02 May 2016 16:48 UTC
Return-Path: <sm@elandsys.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8978312D59D for <spfbis@ietfa.amsl.com>; Mon, 2 May 2016 09:48:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.786
X-Spam-Level:
X-Spam-Status: No, score=-2.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.996, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=opendkim.org header.b=Hvpfbrn8; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=elandsys.com header.b=HJ4EZ76L
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vLPNvCjHHh7G for <spfbis@ietfa.amsl.com>; Mon, 2 May 2016 09:48:54 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B2D012B024 for <spfbis@ietf.org>; Mon, 2 May 2016 09:48:54 -0700 (PDT)
Received: from SUBMAN.elandsys.com ([197.226.49.11]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id u42GmbMR016720 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 2 May 2016 09:48:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1462207732; x=1462294132; bh=DfXMW+RaayVeJnA5mKsRYcBmqkXN7MwcHGGh7itxPMk=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=Hvpfbrn8EfC8HRkkVEftSNIDvAn4YGe0SMyxUK+H/NCzBG6o5dh6LF6XrudCK+Fba KMmZlcHYHRh6zyjEudqmqm8SwG2u2IV3TqLiOGy+E/QlmY0qmrr3ck+/mXKeuF7ZhF HxDyJDZAAp0hjZOE7ShZN0qd3TqJFmMqvfSQAEQs=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1462207732; x=1462294132; i=@elandsys.com; bh=DfXMW+RaayVeJnA5mKsRYcBmqkXN7MwcHGGh7itxPMk=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=HJ4EZ76LPA7ldBMLwBDwt3pWnexAti6s2862Tm+2ZQc7CMaoONqzreiGaZcmzFjF8 iOg7f0vHWS0Yby4mU8pC5TRAN4gXaAze69+x5uMeOlXYAi/EW5Ur1JdK/Gq7482R5u IQEThEz5gV82riABCkwLfoEpm0pbfQzd5ONXMrAg=
Message-Id: <6.2.5.6.2.20160502093100.0878c9f0@elandnews.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Mon, 02 May 2016 09:48:00 -0700
To: Kurt Andersen <kurta@drkurt.com>, spfbis@ietf.org
From: S Moonesamy <sm+ietf@elandsys.com>
In-Reply-To: <CABuGu1qf8tdzvwy+fhaTqKNyKQ1L0San8f54Cu-XbZXDLwn8fw@mail.g mail.com>
References: <002101d1a342$c93e3000$5bba9000$@iname.com> <6.2.5.6.2.20160502003646.101fc9c8@resistor.net> <CABuGu1qf8tdzvwy+fhaTqKNyKQ1L0San8f54Cu-XbZXDLwn8fw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/spfbis/YutEIHGJvMO0Ki6Tdf_X-TFJAB4>
Cc: Frank Bulk <frnkblk@iname.com>
Subject: Re: [spfbis] Question about SPF checks based on RFC 7208
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2016 16:48:55 -0000
Hi Kurt, At 08:56 02-05-2016, Kurt Andersen wrote: >My suggestion is to clarify exactly what constitutes a "void DNS >lookup" in the case of an MX mechanism. I suggest that we define a >void MX lookup to be one that either returns no records or returns >the "null MX record" (RFC7505). Could this be done as an erratum item? Please see https://www.rfc-editor.org/errata.php for information about how to report an erratum and how the erratum will be processed. The above might be too much for an erratum. >I think we also need to highlight the importance of putting "lookup >dependent mechanisms", and especially 2nd degree dependent >mechanisms (such as mx) after any explicit IP specifications to >publishers of SPF records. The "traditional"/historical suggestion >that has been provided by many record creation "wizards" is flawed >by putting "a mx" at the beginning of their recommendations. There is the following in Section 4.6.4: "SPF implementations SHOULD limit "void lookups" to two. An implementation MAY choose to make such a limit configurable. In this case, a default of two is RECOMMENDED. Exceeding the limit produces a "permerror" result." The following is from Section 11.1: 'Operational experience since the publication of [RFC4408] suggests that mitigation of this class of attack can be accomplished with minimal impact on the deployed base by having the verifier abort processing and return "permerror" (Section 2.6.7) as soon as more than two "void lookups" have been encountered (defined in Section 4.6.4).' In my personal opinion any text change would not be a clarification. Which section of RFC 7208 would you like to change? :-) Regards, S. Moonesamy
- Re: [spfbis] Question about SPF checks based on R… S Moonesamy
- Re: [spfbis] Question about SPF checks based on R… Frank Bulk
- [spfbis] Question about SPF checks based on RFC 7… Frank Bulk
- Re: [spfbis] Question about SPF checks based on R… Scott Kitterman
- Re: [spfbis] Question about SPF checks based on R… Kurt Andersen
- Re: [spfbis] Question about SPF checks based on R… Stuart Gathman
- Re: [spfbis] Question about SPF checks based on R… Scott Kitterman
- Re: [spfbis] Question about SPF checks based on R… Stuart D. Gathman
- Re: [spfbis] Question about SPF checks based on R… Scott Kitterman
- Re: [spfbis] Question about SPF checks based on R… frnkblk
- Re: [spfbis] Question about SPF checks based on R… S Moonesamy
- Re: [spfbis] Question about SPF checks based on R… Kurt Andersen
- Re: [spfbis] Question about SPF checks based on R… S Moonesamy
- Re: [spfbis] Question about SPF checks based on R… Murray S. Kucherawy
- Re: [spfbis] Question about SPF checks based on R… Kurt Andersen
- Re: [spfbis] Question about SPF checks based on R… Stuart Gathman
- Re: [spfbis] Question about SPF checks based on R… Scott Kitterman