spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: Test suite update

2007-03-19 17:26:56
On Mon, Mar 19, 2007 at 10:37:27PM +0100, Frank Ellermann wrote:

Should we better propose "v=spf1 ptr -all" as typical HELO policy ?

This would match any subdomain of "museum.", including domains in
a different zone.  Perhaps this example is not suited well, but
imagine a similar hostname "de." with such a policy ... Your 
suggestion would allow your host to say "HELO de".

At the moment my host is xyzzy.dnsalias.org = 80.171.252.210
When I try nslookup -q=ptr 80.171.252.210 I get
210.252.171.80.in-addr.arpa   name = d252210.dialin.hansenet.de

So, the official name of 80.171.252.210 is d252210.dialin.hansenet.de.
but only if there is also a `forward' lookup possible. There is.

But "host" de doesn't have IP 80.171.252.210, it shouldn't match.
Besides TLD de also has no SPF policy using "v=spf1 ptr -all".

Something with your counterexample is wrong or I miss a clue.

As you can see in my counter example, I suggested that __if__ "de."
had such a policy, __then__ the following would happen:

As per RFC4408 section 5.5, the official name is looked up for "ptr"
mechanisms. Start with the connecting IP address 80.171.252.210, lookup
the corresponding name "d252210.dialin.hansenet.de." and verify it using
an A(d252210.dialin.hansenet.de.) lookup which should return an address
of 80.171.252.210 (maybe more).

Domain "de." SPF policy (in either a TXT record, an SPF record, or both)
"v=spf1 ptr -all", would mean: any host with a name ending in "de."
would match on "ptr", the rest would match on "all".

In your hostname's case: All validated names (d252210.dialin.hansenet.de.)
are then compared against the target name "de." and a match does occur on
the "ptr" mechanism!  This means your host would be allowed to "HELO de"

Strict 2821 implementations could reject "HELO ws" and "HELO ws."
as SMTP syntax errors.  

Ah, yes, yet another RFC2821 bug.  But we can't rely on bugs in other
protocols to help RFC4408.  As soon as 2821 is fixed, my example would
work.

Besides, when has 2821 become a standard?  821 has this to say:
<domain> ::=  <element> | <element> "." <domain>
<element> ::= <name> | "#" <number> | "[" <dotnum> "]"
<name> ::= <a> <ldh-str> <let-dig>

and thus "museum" is a valid domain. "de" is not, but I think there's
an update somewhere (or I found a bug in 821?)

Alex

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735

<Prev in Thread] Current Thread [Next in Thread>