spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: Another test case for the test suite...

2007-01-10 10:19:15

On Wed, 10 Jan 2007, Julian Mehnle wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

wayne wrote:
The use of type99 SPF records must be optional, in order to maintain
backwards compatibility with existing implementations and
draft-mengwong-spf-0[01].

I had *hoped* that we had also made TXT records optional so that if
anyone is foolish enough to do it, they can insist on only checking
type99 records.  I figured that would make the IETF DNS folks happy.

For the record, according to RFC 4408, checking the TXT type _is_ optional
(i.e. checking only SPF and not TXT is allowed).

As is the other way around.

This leads to the obvious problem:  What to do if the results of only
checking one type of RR will be different than only checking the other
RR type?

We have discussed it before. While I'd prefer to see permerror given
different results, it is not possible because the local caching nature
of dns protocol which makes it possible that local dns resolver might
have copy of dns record for SPF and TXT from different revisions
(i.e. when you have long TTL on your records and you change one of
the records in between but caching dns resolver previously made
request and cached copy of data from another record).

My hope is we left that undefined, but I haven't reviewed RFC4408 to
make sure.

The problem with defining that is that the receiver by definition can never
know when this is the case.  If they only check one type, how are they
supposed to know that checking the other type would have given a different
result?

Besides, I don't think this is a problem in such a generality as you
phrased it.  The more important problem (as I discussed in my last mail in
this thread from 5  minutes ago) I think is what to do if both types are
queried but the DNS queries' statuses differ.

Local preference of the system doing the check - they must choose either
of the record. If there were errors in checking one of the records, I'd
choose the one that did not cause an error. If one of the records resulted
in fail (as in ip address not in the list of sources that send email for
given domain) and other is pass on the safe side its probably better to
choose pass. Its possible that complex-enough anti-spam system that
does not make immediate reject/accept decisions (unlike mail server doing
test right after MAIL FROM) could use result from both TXT and TYPE99
when they differ in it spam score computation structure. All of those
are of course corner-cases.

--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?list_id=735

<Prev in Thread] Current Thread [Next in Thread>