IETF Logo Mail Archive

Re: [spfbis] #24: RFC 4408: Reasonable DNS error limits

Scott Kitterman <spf2@kitterman.com> Wed, 07 March 2012 18:05 UTC

Return-Path: <spf2@kitterman.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3475521F85B5 for <spfbis@ietfa.amsl.com>; Wed, 7 Mar 2012 10:05:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.588
X-Spam-Level:
X-Spam-Status: No, score=-2.588 tagged_above=-999 required=5 tests=[AWL=0.011, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SKzQ4MHq0fN7 for <spfbis@ietfa.amsl.com>; Wed, 7 Mar 2012 10:05:43 -0800 (PST)
Received: from mailout02.controlledmail.com (mailout02.controlledmail.com [72.81.252.18]) by ietfa.amsl.com (Postfix) with ESMTP id D87E021F85A4 for <spfbis@ietf.org>; Wed, 7 Mar 2012 10:05:37 -0800 (PST)
Received: from mailout02.controlledmail.com (localhost [127.0.0.1]) by mailout02.controlledmail.com (Postfix) with ESMTP id 5476820E40FA; Wed, 7 Mar 2012 13:05:37 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2007-00; t=1331143537; bh=htyLZau2vjKAedgXgbHhajip/CadyAzlt3t2c64jYFo=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Transfer-Encoding:Content-Type; b=m3e4GC2/W3cNqdCAVs+7GB/+rD/R1UzyWTKnoOm1DFGNyz+9zvwuYE46wP3WBJ2EN JLbmQ3pKFxqSRI0fQjO2I1pxeQT2YzF29hfka7wqK//px7LEJjYTVabSIXgWbwWy/m kHuXhJO5rs1Br2KrrlvEuwaC4Hz3qD6EgB05TaDA=
Received: from scott-latitude-e6320.localnet (static-72-81-252-21.bltmmd.fios.verizon.net [72.81.252.21]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout02.controlledmail.com (Postfix) with ESMTPSA id 39C6B20E40A3; Wed, 7 Mar 2012 13:05:37 -0500 (EST)
From: Scott Kitterman <spf2@kitterman.com>
To: spfbis@ietf.org
Date: Wed, 07 Mar 2012 13:05:36 -0500
Message-ID: <5370057.tXlR2v9Toq@scott-latitude-e6320>
User-Agent: KMail/4.7.3 (Linux/3.0.0-16-generic-pae; KDE/4.7.4; i686; ; )
In-Reply-To: <4F579E33.4000102@tana.it>
References: <061.d98693d6d49da2032936529b51acdb1f@tools.ietf.org> <22187973.cpWMZthzO6@scott-latitude-e6320> <4F579E33.4000102@tana.it>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-AV-Checked: ClamAV using ClamSMTP
Subject: Re: [spfbis] #24: RFC 4408: Reasonable DNS error limits
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2012 18:05:47 -0000

On Wednesday, March 07, 2012 06:43:15 PM Alessandro Vesely wrote:
> On 07/Mar/12 14:10, Scott Kitterman wrote:
> > On Wednesday, March 07, 2012 01:41:57 PM Alessandro Vesely wrote:
> >> On 07/Mar/12 13:06, Scott Kitterman wrote:
> >>> 
> >>>
> >>> First, I don't think there's a lot of point in computing the
> >>> maximum number of lookups possible.
> >>
> >> 
> >>
> >> Why?  It doesn't sound difficult to specify of implement.  I mean,
> >> isn't it easier to say "you can do at most 111 lookups" than "you can
> >> evaluate at most 10 terms worth 10 lookups each plus an exists as a
> >> bonus"?
> >
> > 
> >
> > The 111 is a corner case.  Your reformulation makes it the standard
> > case.  I don't think it's a good idea.
> 
> No, wait.  I don't mean one has to do all the lookups.  The limit is
> meant to guard against an excessive number of lookups, whether
> malicious or buggy.  As long as we believe that's not the norm, and
> only happens in corner cases, a non-partitioned amount of lookups may
> be more flexible and simpler than a structured limit devised to
> prevent a particular attack only.

The current rules are:

No more than 10 terms that need DNS lookups
No more than 10 a lookups from an mx mechanism
No more than 10 a lookups from a PTR mechanism.

So there is currently a primary limit of 10 and a secondary limit of 10 
lookups per primary of a certain type.

Is there any evidence that the primary limit of 10 is not adequate?  I am not 
aware of any.  Most of the largest email providers that exist have published 
records that fit within this limit.

Why would we want to change it?  Because we're changing the spec and it makes 
the spec clearer is not a good reason if it requires code to be re-written.  
Your proposal would.

As has been mentioned, one of the primary design principles in SPF was to 
produce a deterministic output based on a defined input.  If we change the 
current 1 + 10 + 10*10 limit to 111, then every SPF library that properly 
implements RFC 4408 10.1 would have to be changed.  

Based on that, I think the proposal is out of scope, but I also think it's a 
bad idea in any case.

Scott K

v2.46.0 | Report a Bug | By Email | System Status