[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of David
Sent: Tuesday, March 29, 2005 2:25 PM
Subject: RE: [spf-discuss] Standard Authentication Query
At 12:48 PM 3/29/2005 -0500, Scott Kitterman wrote:
I'm, by and large, with Frank. We need to get the existing v=SPF1
documented in an experimental RFC and then move on to whatever
I do think that some added cautions wrt DNS loading and
security risks may
be in order. I'm thinking that one over.
I wouldn't slow down the progress on the SPF standard, but be
make some changes to the parts relating to inter-operability.
But the current RFC effort is meant to describe the CURRENT practice. I
really think that for v=SPF1 we need to limit ourselves to
in place. I wouldn't propose any changes to the current spec
affect processing or creation of records.
Most of the potential changes can be done later at very little cost. The
one I worry about is the DNS query. SPF could be facing some very
difficult rework if the final standard mandates a one-packet
response. Also, I suspect the guardians of DNS at the IETF will
that no changes were made to address their concerns.
As I understand it, Radu's mask proposal will allow almost all domains to
provide a one-packet response, even if the mask is only a rough
approximation to their actual server addresses. If this rejects
90% of the
forgeries, that may be good enough.
I can even see a large ISP clustering all their servers so their
might be nothing but a few masks. As long as spammers can't get access to
the addresses within the mask blocks, the masks alone are good enough.
A typical top record might look like this one for rr.com:
The ... redirects and such might never be needed if rr.com decides it can
clean out the zombies in each of those /24 blocks.
For SPF checking libraries that don't implement the mask (currently all of
them), that record would parse as:
The mask only has potential to help once it's deployed and senders modify
their policies to use it.
Regardless of the potential for increased effeciency, I think that a
significant change like this is going to have a hard time getting traction
in the market. If this sort of approach will appeal to people, then perhaps
we ought to concentrate in the near term on selling Frank's slightly less
efficient approach since it's fully compatible with the current syntax.