Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lookup Count Inconsistencies
Scott Kitterman <spf2@kitterman.com> Sun, 15 January 2023 23:29 UTC
Return-Path: <spf2@kitterman.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27486C14F74B for <spfbis@ietfa.amsl.com>; Sun, 15 Jan 2023 15:29:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="BeVsteWg"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="ai7BUKTl"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id js_UuiQQbfPS for <spfbis@ietfa.amsl.com>; Sun, 15 Jan 2023 15:28:58 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E970C14F726 for <spfbis@ietf.org>; Sun, 15 Jan 2023 15:28:57 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 5CA51F801E0 for <spfbis@ietf.org>; Sun, 15 Jan 2023 18:28:48 -0500 (EST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1673825313; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=AL+wmKPqS1LtgNT+yLOZpdqUKG/TP0IAohtH1pedf3Q=; b=BeVsteWg1ijRsdwVbzmeP86NdaTlOwOxx0t9/4b2G4NtGssXE231dXfXt1FDeMn1h7EWm wZOqm9lVHDPXwpeAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1673825313; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=AL+wmKPqS1LtgNT+yLOZpdqUKG/TP0IAohtH1pedf3Q=; b=ai7BUKTlVjLlxcrdD9d0QaqxJv+qghWzdtJ13ZJzFWF6vVA5Nfx3eQ1Sh4wtIKUaKB3dr YuwSkrBcfmsLHHgYIKczRzSM5StaeQpQmxclJil6H2HgDi9Fqix7nNlSpKrv6YT5D1mY5mH Bu3KodHf41LXuqBgEFd8XkensmCRPG7Gjf6jxTYT5iR/eIEPvjQXiLrbKIyV4lBMzdFBJyG 2FYCQvwGVFs5MRV/YdR8HGcSu47dolRhAvXHQQnzMOjo5v+k9cY5cJt/jpH30nDVzEkPlbP C3KxNCX7kt0fISx/WZoGpcJNmsQHym4jt7UYx9q9xkMe7q0ylVr2oB18yHug==
Received: from localhost.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 35187F8016D for <spfbis@ietf.org>; Sun, 15 Jan 2023 18:28:33 -0500 (EST)
From: Scott Kitterman <spf2@kitterman.com>
To: spfbis@ietf.org
Date: Sun, 15 Jan 2023 18:28:28 -0500
Message-ID: <13078447.edrPyRMrsX@localhost>
In-Reply-To: <Y8SJjkQTFZO/Id/Z@netmeister.org>
References: <79ac443e-b0ee-6598-cec0-9cf32c3dc1d1@tekmarc.com> <4155095.WaQZGZ3z5Y@localhost> <Y8SJjkQTFZO/Id/Z@netmeister.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/hwhHNJr_RXisPnRaO4BbeL7hsBk>
Subject: Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lookup Count Inconsistencies
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2023 23:29:02 -0000
On Sunday, January 15, 2023 6:17:34 PM EST Jan Schaumann wrote: > Scott Kitterman <spf2@kitterman.com> wrote: > > There is the "overall" limit. The count against the overall limit is two > > ('a' and 'mx'). > > Thanks for clarifying. > > I find this _very_ counterintuitive, fwiw. > > My logic was roughly: > > "Well, the limit should limit how many lookups I have > to make in the worst case before I can decide. Doing > an 'mx' lookup by itself doesn't help me at all in > making that decision -- I absolutely _have_ to turn > any hostnames I get into IP addresses, so I must > necessarily perform additional lookups." > > So if I'm at a DNS lookup limit of 9 when I reach the > 'mx' part, and the domain has 10 MX records, I perform > 10 additional lookups (which don't count to the total > limit, meaning I perform a total of 19 lookups) and > move on. > > But if I'm at a DNS lookup limit of 0 when I reach the > 'mx' part, and the domain has 11 MX records, then the > 'mx' evaluation yields permerror and I abort. > > But if that's what it is, then that's what it is. :-) That's what it is. It probably made more sense in 2005 than it does now, but we're pretty well stuck with it for v=spf1. It's actually even more complex than this since most will do a PTR lookup for each IP address returned. Also, note that the limits for the SPF PTR mechanism as slightly different. There were claims made at the time that there were other, easier ways to conduct DNS amplification attacks and the limits were overly strict. That's certainly true now. Even so, the pre-RFC limits were strictly based on maximum recursion depth and had the potential for truly extraordinary amplification. Given the two, I think we picked the better approach in 2005 and SPFbis was correct not to fundamentally change them. If I were going to do an SPFv3 (I have no plans, don't get excited), this is one of the areas that would be ripe for redesign. Scott K
- [spfbis] RFC7208 4.6.4 Interpretation - MX Lookup… Mark Alley
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Mark Alley
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Mark Alley
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Scott Kitterman
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Mark Alley
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Jan Schaumann
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Jan Schaumann
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Scott Kitterman
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Jan Schaumann
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Scott Kitterman
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Tim Wicinski
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… John Levine
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Tim Wicinski
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Jan Schaumann
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… william
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… John R Levine
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Klaus Frank