IETF Logo Mail Archive

Re: [yam] [Technical Errata Reported] RFC6409 (3995)

John C Klensin <john-ietf@jck.com> Thu, 22 May 2014 16:25 UTC

Return-Path: <john-ietf@jck.com>
X-Original-To: yam@ietfa.amsl.com
Delivered-To: yam@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 438751A0282 for <yam@ietfa.amsl.com>; Thu, 22 May 2014 09:25:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.251
X-Spam-Level:
X-Spam-Status: No, score=-3.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id juLVbYdyYtfI for <yam@ietfa.amsl.com>; Thu, 22 May 2014 09:25:28 -0700 (PDT)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DA1C1A0283 for <yam@ietf.org>; Thu, 22 May 2014 09:25:28 -0700 (PDT)
Received: from localhost ([::1]) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1WnVnJ-000Eho-RZ; Thu, 22 May 2014 12:24:38 -0400
Date: Thu, 22 May 2014 12:25:07 -0400
From: John C Klensin <john-ietf@jck.com>
To: Barry Leiba <barryleiba@computer.org>
Message-ID: <7440EB293A79BB0E9463E7AB@JCK-EEE10>
In-Reply-To: <CALaySJJqcqZVZd=dOkJb-cMqW+yqUX3_P=FOO4k=6Ngf-K2i0Q@mail.gmail.com>
References: <20140522105930.779E218000D@rfc-editor.org> <01P83PLDKT58000052@mauve.mrochek.com> <4EFB403085AB3DD86EAABE47@JCK-EEE10> <CALaySJJqcqZVZd=dOkJb-cMqW+yqUX3_P=FOO4k=6Ngf-K2i0Q@mail.gmail.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: http://mailarchive.ietf.org/arch/msg/yam/0evaHBw4EleaISiJlKHbnnCp_5E
Cc: Ned Freed <ned.freed@mrochek.com>, yam@ietf.org, Pete Resnick <presnick@qti.qualcomm.com>, Randall Gellens <rg+ietf@qualcomm.com>, SM <sm+ietf@elandsys.com>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [yam] [Technical Errata Reported] RFC6409 (3995)
X-BeenThere: yam@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Yet Another Mail working group discussion list <yam.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yam>, <mailto:yam-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/yam/>
List-Post: <mailto:yam@ietf.org>
List-Help: <mailto:yam-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 May 2014 16:25:34 -0000


--On Thursday, 22 May, 2014 11:40 -0400 Barry Leiba
<barryleiba@computer.org> wrote:

>>> This looks correct to me, although it's right at the edge of
>>> what's acceptable in an errata.
>> 
>> Yeah.  Reluctantly concur.  I am not aware of any impulses
>> toward updating 6409 and do not believe this report changes
>> that.
> 
> Two votes for "Verified" (along with my own sense) is good
> enough for me.

Actually, something else just occurred to me.  I don't think it
changes the "verified" answer and I can't remember why Randy and
I left the prohibition there when it was removed from SMTP.   If
it was intentional rather than an oversight, I'd think it might
have something to do with the following:

Despite the assertion that it is common to canonicalize names
(probably true, since "common" is hard to quantify), the SMTP
specs generally discourage in-transit fixups.  An implementation
that discovered that the FQDN in an address was associated with
a CNAME record would be equally justified in simply rejecting
the message.  There is also the matter of SMTP's effective
requirement that an SMTP delivery server know the names by which
it is called (see the recent thread on the ietf-smtp list).  So
we might have intended to urge caution because
local@random-alias.example.com with

   random-alias.example.com. IN CNAME smtp.example.com.

could fail entirely if the server at smtp.example.com. either:

	* did not have "random-alias.example.com" configured as
	one of its names.  Or
	
	* strictly followed the 821 interpretation and rejected
	that mailbox address.

Note also that the locally-configured name requirement provides
some protection in which the evil owner of example.net creates 

   evil-server.example.net. IN CNAME smtp.example.com.

which would, at best, make some attack vectors harder to trace.

Again, I don't think this changes the "verified" answer.  It
does illustrate a reason why this is at the boundary as an
erratum.  And, if someone wanted to add the above as a comment
to the approved erratum, I certainly wouldn't object.

    john

v2.23.0 | Report a Bug | By Email