spf-discuss
[Top] [All Lists]

Re: Why are so many DNS requests necessary at all?

2005-03-31 20:05:01
Sorry for getting into the forwarding issue here, but it is unavoidable in the discussion of DNS lookups.

At 12:36 AM 4/1/2005 +0100, Chris Haynes wrote:

In simple cases, that need only involve a single look-up. The multiple look-ups
usually arise if you have a Mail From domain who uses a different domain's
servers to send its mail. Almost all small/medium business and 'vanity' domains
are in this situation.

But these small domains are almost all *not* wanting to operate their own public mail servers, maintain their own DNS records, etc. They just want to forward their mail through their ISP.

They use an ISPs outbound mail servers.  Now those ISPs
are not going to commit to using a stable set of servers for this (defined by
their numeric IP), so, for sensible change-control your small domain 'includes'
the ISP's record, which is then fetched at run-time by the receiver, so it is
known to be the current list used by the ISP.

A more efficient arrangement is for the ISP to act as a normal forwarder, and *authenticate* the small domain, then *authorize* its own mail servers. This avoids the need to look up included records from another domain.

There are several other situations like that which push up the number of lookups
needed.

Why does *any* domain need to include another domain in its SPF record? The other domain is acting as a forwarder. It should authenticate the sending domain just like any forwarder would. If there is some relationship between the sender and the forwarder, that might make the authentication trivial, but to anyone downstream it should look like a normal authentication.

This also shows that a single server (with a single numeric IP address) might be
used by hundreds or thousands of domains. Ihe ISP who owns the numeric address
has no idea which domains are (perfectly legally) going to use that server for
their outbound mail. I. for example, have 8 different domains that I can use. I
send all my outbound mail via one ISP, who only knows about 1 of those 8.  So
the kind of lookup you suggest just does not work because of the need to cross
these admistrative boundaries.

This seems like an inherently insecure situation. If an ISP does not authenticate the domains for which it is forwarding mail, then it must assume full responsibility for the content of that mail. By simply authenticating the sender's domain, it can transfer the responsibility for content to the authenticated sender. The ISPs sole responsibility is then to do the authentication correctly.

<snip>
What people are currently agonizing over, as I understand it, is whether 'bad
guys' can force there to be a huge number of look-ups - so many that they
overwhelm either a sender's or a receiver's DNS system.

I, personally, am not yet convinced that there has been  a strong enough case
made to show that the current SPF1 system is inadequate or seriously 'at risk'
in this respect. Maybe I missed some convincing scenarios...

 The last thing we should be doing is raising FUD about the current version
without _very strong_ reason.

Until a week ago, I thought it was all FUD. Radu's research made me re-consider. I now believe that there is at least a 1 in 10 chance that the worry is real, probably much more. Given the simplicity of the solution, I'm focused on that, rather than nailing down the certainty of the risk. For me, the burden of proof is now on the "don't worry" side. I would need to be convinced that the risk of attack is negligible, or that the cost of the solution is more than a week or two to work out some new syntax.

Most of the anti-SPF stuff I've read sounds like hysterical ranting, lots of extreme statements with little substantive backup. The one site I've seen that makes a convincing statement is Dave Crocker's http://www.mipassoc.org/csv/CSV-Comparison.html I can't confirm these statements from my own knowledge, but I give Crocker a lot more credibility than most.

I'd far rather see progress on getting the existing system written up and
published as an RFC.

A lot of people outside the SPF community are taking the DNS threat very seriously. If the solution takes another week or two, it could avoid a much bigger setback down the road.

-- Dave
************************************************************     *
* David MacQuigg, PhD      email:  dmquigg-spf at yahoo.com      *  *
* IC Design Engineer            phone:  USA 520-721-4583      *  *  *
* Analog Design Methodologies                                 *  *  *
*                                   9320 East Mikelyn Lane     * * *
* VRS Consulting, P.C.              Tucson, Arizona 85710        *
************************************************************ *