Re: Re: op=dk

william(at)elan.net wrote:
> On Sun, 17 Apr 2005, Radu Hociung wrote:
>
> > > How does this dk= modifier "modify" SPF results, if at all ?
>
> > None of the o* modifiers have any effect at all on SPF results. The
> > SPF client should simply relay their contents to the MTA. If the MTA
> > knows what to do with them, fine, otherwise, just move on.
>
> SPF can serve as basis for more general list of sender policies, but we
> have to be clear that those modifiers in no way effect results of SPF
> system itself. As such such modifiers can be introduced with separate
> technical documents but MUST NOT be introduced by SPF specifications
Please explain what you base this conclusion on.

> > But for this example, let's say that the domain owner publishes an
> > odk=yes extension. As I have shown above, it makes no sense the SPF
> > record to specify the location of the DK record, but perhaps only it's
> > existence.
> >
> > In this case, say that the recipient MTA gets an SPF result of FAIL on
> > their check of the MAIL-FROM. The SPF checker passes the
> > spf_also_found["dk"]="yes" to the MTA.
> >
> > In order to decide whether to reject after the SPF fail, or to give it
> > one more chance using DK, it may use any other information it has
> > available. Perhaps the RCPT user is known to make heavy use of
> > forwarders, so a lot of his mail gets FAIL SPF results, even though it
> > is legitimate.
>
> > At this point the MTA may decide to receive the message anyway,
> > instead of
> > rejecting it right away due to the SPF fail. Then it would decide
> > whether the message is authentic if it finds a DK signature and if the
> > signature checks out.
>
> No, that would be very bad idea. SPF and DK operate on different layers
> of mail transmission and failure of one of them is just that failure, it
> has nothing to do with failure or success of authentication in another
> layer
> (unless we agree to change email architecture and restructure separation
> of 2821 and 2822 layers). If you allow authentication in one layer to
> effect
> results of another, you effectively create a security trap which can
> have very negative consequences in the future and will be extremely
> difficult to fix (a lot more so then when you have problem in only one
> layer).
Please explain the nature of the security trap.

In my explanation, DK's result did not affect SPF's result and vice
versa. I recognize that they are different layers and can operate
independently of each other.

I consider a message that that FAILs the SPF check, but passes the DK
signature check a message that should be delivered, subject to
subsequent the spam evaluation.

This is the typical case of a genuine message from Yahoo that goes
through a forwarder.

> The above however does not mean its a bad idea for SPF checker to pass
> along list of "other" (unknown to SPF) modifiers to MTA, but only once
> decision on SPF itself has been made.  In this way it should be possible
> for MTA to make a decision based on cryptographic success of failure if
> there was no result from SPF itself. This also means that records such
> as "v=spf mod1=a mod2=b", with list of sender policies should be considered
> proper spf record (they just have 0 meaning to SPF checker itself).
>
> > How the various spam fighting methods are combined is the MTA vendor's
> > problem. SPF cannot say anything on the subject. SPF really only
> > provides one input into the spam software's decision making process.
>
> SPF IS NOT SPAM FIGHTING METHOD
>
> SPF can be used as means to prevent spoofing, but that does not mean that
> success of spf has any implication that message is spam or not.
Thank you for reminding me what I hadn't forgotten.

So perhaps it is wrong for SpamAssassin to be involved in any way, and
to provide any support for SPF? As far as I know, SpamAssassin is a spam
fighting method.

> > Where the usefulness of the extension is most clear is when SPF3 gets
> > published and starts being adopted. Let's assume that SPF3 operates on
> > the message headers.
>
> Lets not assume that unless you have reasons to believe that it would.
Here's where you started an irrelevant monolog.

I did not say that SPF3 is a successor to SPF1, nor that it replaces it.
Yet, the spirit of your following comments makes this assumption.

You should either address my comments under the assumption I have
stated, or prove my assumption wrong. Otherwise we're not talking about
the same thing.

In hindsight, I should have used FPS1 instead of SPF3, to indicate a
future standard that is largely unrelated to SPF. I thought my
assumption that it operates on headers and that it publishes some
signing key was enough to make this clear. Mea culpa.

The FPS1 protocol may very well be the open-source equivalent of DK. I
don't know what the future holds, and I'm not willing to make the
assumption that only an SPF-like protocol is possible.

So, please re-evaluate your response in light that the new protocols I'm
trying to provide for are NOT related to SPF in any way, other than that
they also need to make use of the TXT record space at the top-level.

I call "top-level TXT record" the TXT record at the mailbox-domain
level. This is the equivalent to the TXT record at %{o}. Perhaps
"mailbox-domain TXT record" would be a better name?

Radu.


> > Thus, it is evaluated after SPF1, but its results make sense even if
> > SPF1 is a FAIL. Let's also assume that SPF3 is designed to be a
> > 1-query protocol, and it contains a signing key or something like
> > that, so there is no redirect=mechanism:
>
> In typical protocol design world next version of protocol is expected to
> do as much as its first version and more and be able to replace earlier
> version. As such you should not expect that SPF3 would continue to exist
> together with SPF1, what you should expect it that there would be period
> of time (possibly quite long period) where they would but that
> specification
> would call for SPF3 to eventually replace SPF1.
>
> So while I personally would like to see simpler 1-query protocol for SPF3,
> I really don't see how that would happen in a way that allows it to provide
> same functionality as SPF3. More then likely what you would expect from
> SPF3
> is that it would be fulfill goals of Unified SPF and introduce scopes, etc.
>
> Note also that all Unified SPF scopes that we talked about (with
> exception of PRA which is clearly not supported by SPF community) were
> for SMTP Session and are then 2821 layer and not based on header checking.
>
> > As the domain owner, one has to plan how to publish their records as
> > to impose the lightest DNS load on themselves.
> >
> > This means that they have to share the 400-bytes available in the TXT
> > space between the two SPF records. Let's assume that the two records
> > are 300 bytes each.
>
> DNS is created to be lightweight distributed query protocol where the
> result
> data is small. As long as spf record is small, that is good but if you
> start
> talking about it taking 300 or 400-bytes record and assume that most
> records
> would be like that, then its no longer good idea to keep SPF in the DNS and
> its better for it to have information service on its own
>
> > Given the design of the mechanisms, the only possible plan is:
> >
> > 1. Publish SPF3 in full in the TXT record
>
> I would say its probably fair view given direction of SPF (found even in
> current spf specifications) to assume that SPF3  *WILL NOT USE* TXT record
> and will likely use SPF DNS record type.
>
> > 2. Publish 100 bytes of the SPF1 record and extend it with redirect=
> >
> > This would work. But at the time SPF3 is invented, SPF1 is very
> > popular, and the installed base of SPF checkers is very large.
> >
> > This means that just by publishing SPF3, the domain owner will double
> > the number of queries received from the installed base of SPF checkers.
>
> Lets differentiate between number of queries and number of answers and
> especially between data received in those answers. Remember also that
> negative queries on specific record types can easily be cached. In
> other words I advice you to read DNS specification and you'll understand
> that its not as bad as you think even if two queries have to be made for
> SPF3 and then for SPF1.
>
> > On the other hand, if the SPF1+3 checkers know about the ospf3=
> > extension in the SPF record, the domain owner could take the following
> > decision:
>
> SPF1 checker would have no reason to know about SPF3 record (it does not
> know how to interpret it easily). On the other hand SPF3 checker wants
> to see SPF3 record first and if it is there, it has no reason to check
> SPF1 record. But while "ospf3=" extension is BAD idea for SPF1 records,
> its not bad idea to allow ->spf3 record<- to refer to older spf1 record
> and in that way allow administrator to maintain "shared" record part
> that would be understand by both spf1 and spf3.
>
> > 1. Publish the 300 byte SPF1 record at the top domain, and add ospf3=_s3
> > 2. Publish the 300 byte SPF3 record at _s3.domain.com
>
> See my comments why it would be bad if SPF1 and SPF3 records are both so
> large - its not good for dns.
>
> > Now, by publishing a new SPF record, the number of queries seen from
> > the large installed base of SPF1 checkers is the same as before,
> > except that each response is 10 bytes longer.
>
> So what good is that if SPF1 has no use of it?
>
> > The number of queries to _s3.domain.com would slowly ramp up as the
> > adoption of SPF3 grows.
>
> So what is the different between that and having separate SPF3 record
> where SPF1 record is not even checked by SPF3 checker.
>
> > The SPF3 checkers already know to look for spf_also_publishes["spf3"]
> > if we specify the o*= extension in the SPF1 check.
>
> SPF3 checker has no reason to use spf1 record if spf3 record already
> exists.
>
> > I am assuming that an MTA vendor would use an SPF3 implementation that
> > are also supports SPF1, so the same library is called both for the
> > SPF1 check as for the SPF3 check. Thus, it will be aware of the o*=
> > extension.
>
> In such a case you should assume it'll do SPF1 check if SPF3 record is
> not there and if its there, then SPF3 record record would be used instead.
>
> > The SPF3 specification would have to provide guidance to the
> > implementors to look for an ospf3= keyword if an v=spf1 record is found.
> >
> > If the SPF3 does not specify such guidance, the ospf3= makes almost no
> > sense.
>
> SPF3 can have its own syntax that would explain if and how to use existing
> SPF1 record if its there. Its way too early to talk about that right now.
>
> > The cost of not guiding implementors to look for ospf3= is that
> > adoption of SPF3 will be slowed by the fact that a domain that wishes
> > to publish SPF3 would double their DNS costs for very little or no
> > benefit,
> > until the proliferation of SPF3 checkers becomes comparable to the
> > proliferation of SPF1 checkers.
>
> Again I strongly advise you to read more about DNS so you would understand
> why above is to say the least not accurate.
>
> > The alternative would be for SPF3 records to be specified with a
> > residence at _spf3.domain.com. Unfortunately this means that MTAs
> > would have to "hunt", first at domain.com for an SPF1 record, and then
> > at _s3.domain.com for an SPF3 record.
>
> It need not hunt there if it is an SPF3 specification and needs to find
> SPF3 record first. In that case it "needs to hunt" only for SPF1 record
> if SPF3 is not found. That is how you would expect next version of the
> protocol to be implemented (and not only in case of SPF).
>
> > This "hunting" will not go well with the regulatory bodies that have
> > to promote SPF3 to the standard track.
>
> The above statement is just wrong. Standards bodies will in fact hate idea
> of hunting for spf1 record first.
>
> > So, without an extension like o= in SPF1, the barrier to entry of
> > future DNS-based methods is much higher than with the o= extension.
>
> Again, the above is wrong and based on incorrect understand of how dns
> operates and how protocol are extended.
>
> > This is because SPF was the first to hog the top-level TXT space. If
> > it was another protocol, it would be sensible for that protocol to
> > make these kinds of provisions for the future methods.
>
> That however is correct. But SPF designers for the most part failed to do
> it and its too late now.
>
> > This o*= extension would have been much harder to implement if Sender
> > ID had been successful and if it used the top level TXT record,
> > because the o* function would have to be built into Sender ID as well
> > as SPF.
> >
> > I think it is a priviledge for SPF to be allowed to use the limited
> > real estate in the top-level record, and with priviledge, responsible
> > use and planning is needed.
>
> Nobody "allowed" SPF to usew what you call top-level txt record, SPF people
> started using unilaterally. DNS protocol experts all uniformly reject
> this and will only support spf provisionally as long as it is going to
> move towards using its own separate record type.
>
> I would however agree with you about need for responsible use and need
> for planning, but its already too late as SPF failed to do so.
>
> ---
> William Leibzon, Elan Networks:
>  mailto: william(_at_)elan(_dot_)net
> Anti-Spam and Email Security Research Worksite:
>  http://www.elan.net/~william/emailsecurity/
>
> -------
> Sender Policy Framework: http://spf.pobox.com/
> Archives at http://archives.listbox.com/spf-discuss/current/
> Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
> To unsubscribe, change your address, or temporarily deactivate your
> subscription, please go to
> http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com