On Tuesday 09 January 2007 19:43, Julian Mehnle wrote:
Julian Mehnle wrote on spf-devel:
We were talking on #spf.
FYI, I brought up there the fact that Mail::SPF was generally RFC-
conforming except for one odd case:
| Currently, Mail::SPF ignores DNS errors on the SPF-type look-up but
| fully escalates them on the TXT-type look-up. So if "all look-ups
| that are made" get a DNS error (other than NXDOMAIN) or time out, then
| Mail::SPF does the right thing because the TXT look-up will throw a
| TempError.
|
| If at least one record is returned by the SPF-type look-up, no
| TXT-type look-up is performed (so nothing can go wrong with the
| TXT-type look-up in the first place).
|
| However, if the SPF-type look-up succeeds and returns 0 records, and
| the following TXT-type look-up errors or times out, then Mail::SPF
| throws a TempError even though it shouldn't.
I fixed this tiny bug already. Because it is so tiny, I won't make
another release immediately just for that.
FYI, this has now been fixed with the 2.003 release of Mail::SPF. From the
changelog:
| * Fixed a very minor bug where a "TempError" result would incorrectly be
| returned in the very rare case when the SPF-type look-up succeeded but
| returned 0 records, and the following TXT-type look-up errored or timed
| out. Now a "None" result is correctly returned in that case as
| demanded by RFC 4408.
While I'm sure this is what the spec requires, I'm no longer sure this is a
sensible behavior. Which means that there is probably a bug in the spec.
Any comments?
To summerize what I said on IRC for the benifit of the rest of the crowd...
Before RFC 4408 AUth 48 we returned a TempError if _either_ of the lookups
yields an error RCODE or a timeout and a permerror if the returned content
was not identical. As a result, TXT = None and SPF = timeout was a
temperror. The problem we were trying to fix was brain damaged DNS servers
that can't deal with unknown RR types and just return nothing.
IIRC, Stuart ran across it in production after Type 99 was allocated, but
before the RFC was published, but apprently (as Julian pointed out),
Apparently, we didn't think of the "SPF = None, TXT = timeout" case, though.
I've seen TXT = None and SPF = timeout as recently as yesterday. I think that
temperror is a slightly more correct response, but I'm not sure it would have
been worth complicating the RFC yet again for an extremely rare special case.
Keeping in mind we were in Auth48 and had to minimize changes in the
language, I think what we have is good.
The SPF = None, TXT = timeout case is extremely unlikely to occur in real
life. I think implementations should do what RFC 4408 says and not sweat it.
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735