On Monday, May 06, 2013 10:10:40 AM Mark Andrews wrote:
In message
<42523d2d-85c6-4e6d-b2a7-6791a0e5d4a8(_at_)email(_dot_)android(_dot_)com>,
Scott
Kitterman writes:
Mark Andrews <marka(_at_)isc(_dot_)org> wrote:
In message
<6(_dot_)2(_dot_)5(_dot_)6(_dot_)2(_dot_)20130505082013(_dot_)0adbbe40(_at_)elandnews(_dot_)com>,
S
Moonesamy write
s:
Hi Mark,
At 15:57 04-05-2013, Mark Andrews wrote:
The publisher can choose to interoperate with everyone by publishing
both.
The client side can choose to interoperate with everyone by looking
for both.
Both side can choose their level of interoperability. There is no
bug.
Thanks for the feedback.
Based on the quoted text I would write the text as:
(i) you must have X and Y where X and Y are identical.
(ii) I ask you for both X and Y (see [1] for example).
Item (i) is a combination of the previous items (a) and (c). Item
(ii) is the last part of previous item (d).
That was not the intent. Having choice here is very important here.
In fact it is essential to reach the end goal of Y only when starting
with X only.
There is nothing wrong with failing to catch every possible forgery
possible if both sides are using SPF. Unfortunately the SPF WG
seem to think that unless the RFC does catch every possible forgery
that it is broken. The SPF WG appears to not want to allow operators
to have the choice. This is the case "pefect" being the enemy of
"good enough". We need "good enough" here not "perfect".
Mark
If we publish a 4408bis that suggests the normal way to publish an SPF
record is in type SPF, then it'll get about 98% less effective based on
the data we've collected. What you are suggesting is more like 'ignore
the deployed base and start over'. That's not wgat the WG was chartered
to do.
No one said "ignore deployed base". Firstly normal != only.
Secondly one could quite easly add "fixup SPF" functionality to
nameservers/zone signers by having the master server/signers add
type SPF records if they are not present when there are v=spf1 TXT
records. This would also require fixing some DNSSEC records but
it is doable.
Name servers/signers fixup DNSSEC records all the time. Adding
another type of record to fixup is a relatively trivial change.
For unsigned zones one could do this on slave servers as well.
You have already mentions you have a script that does it. A script
needs someone to install it and run it so it is not comparable,
other than a proof of concept that it can be done, to getting
nameservers to do the fixup. This get done installed and run
automatically. Installation happens as part of OS upgrades / new
server installs. It gets run as it is part of the default behaviour.
None of this happened in 8 years. There's no basis for the next 8 years being
any different.
Additionally, I'm personally against publishing documents that require
special external knowledge (if 4408bis prefers SPF over TXT deployers
will have know to ignore that part of the RFC if they actually want the
protocol to be useful. To promote interoperability there has to be a MUST
publish and a MUST check format in common. Given the lack of type SPF
deployment, it's crazy to suggest that it should be the required type.
What external knowledge. 4408 already effectly says that you need
to publish SPF records. TXT records are described as "for backwards
i compatibilty". It says you SHOULD publish both.
You are worrying about it not been "perfect" when it was in fact
what was in 4088 was "good enough".
What was in 4408 turned out to be pointless and complicating. There are also
a few pour souls out there who published type SPF records only and are
probably wondering why it's not working very well.
Personally, I'm quite surprised that doubling the DNS queries associated with
SPF for the foreseeable future is a "meh" issue to DNS people.
If you're going to query for type SPF, then you have to do an asynchronous
query of some kind due to broken DNS servers that return either nothing
(meaning you end up waiting for a timeout) or SERVFAIL for unknown types. You
still have to do type TXT queries and performance will suffer badly if you do
them serially. Additionally, we'd need to special case SERVFAIL for type SPF
so that in appropriate temperrors weren't returned. It adds a significant
amount of complexity if you want to implement both types without poor
performance (Mail::SPF does the queries sequentially and will fail on a bad
DNS server, it's not really the model one would want).
I get the theory of type SPF, but dual types adds a lot of complexity for
minuscule benefit. A single type is much simpler and more reliable.
Unfortunately, if it's only going to be one, TXT is the only one that makes
any sense operationally.
Scott K