Sandy,
At 01:25 PM 1/20/2009, you wrote:
> Given the issue discovered in DNS last year, which essentially
> required suppliers of DNS server software to address and update
> their software, one would think that any serious DNS operators would
> have migrated to the new fixed DNS server versions. One would also
> think that suppliers of DNS servers would also have added support
> for SPF RR as a valid and accepted RR type in current DNS software
> per the RFCs governing standards for DNS in their current releases.
> Thus on most all DNS servers, one might conclude that there should
> already be direct support the SPF RR.
What's with this "one might" and "one would" high-falutin'? Just do
some research (if you're not afraid to find out you're wrong).
First, everyone has style differences and "launching" on someone for
a style issue is counterproductive. There have been one or two list
members over the years whose style was abrasive for me, but you learn
about the person and either their styles become comfortable or you
ultimately just pay less attention to them.
As I did not have the data at my fingertips to make declarative
statements in my last message, I qualified them.
I am always happy to get pointed to data which either refutes me when
I draw incorrect conclusions or which reinforce them. So, I'm
certainly not afraid to find out I'm wrong, because it just brings up
another discussion to work through to solve the problem where my
premise was incorrect. I also did not want to be perceived as being
insulting or rude in any way to the DNS supplier community, who have
been generous to the SPF project in their support of 99/SPF RRs.
As of Oct 2008, post-Kaminsky, the Measurement Factory survey reported
that under 7% of authoritative servers were running a version of BIND
that supports Type 99 (9.4+).
Approximately 15% more use djb/My/Simple/Power, which at least support
Type 99 in their latest versions (versions for these are not given).
26% of servers are totally unclassified. Given earlier survey results,
I believe there to be at least another 1-3% of MS DNS in there (the
classifiable servers are < 1% MS DNS), and none of those support Type
99.
Anyway, add in half of the unclassified BINDs, plus half of the
totally unknown servers, and even at this surely inflated level,
you're talking about 45% SPF RR support. That isn't "most all DNS
servers" (whatever that means). It's almost "most".
http://dns.measurement-factory.com/surveys/200810.html
Having looked at your link, it is pretty clear that we (both SPF and
DNS communities) need to do a better job in educating people on the
importance of upgrading their DNS servers to current levels, so as to
be more responsible DNS server operators. As with any system, breaks
happen at weak links.
To be more colloquial and hopefully, Sandy will take this in the
light hearted spirit it is intended; broken a** out of date DNS
software is certainly a big a** honking weak link for the Internet.
Even so, it is another opportunity. Does anyone know if Measurement
Factory would actually part with detailed IP addresses and WHOIS data
on the DNS servers that are arguably mustang? If so, perhaps keeping
a central registry for those IPs might help them to migrate because
in their current state (as they can be corrupted), they are not
trustworthy for answers they provide.
If not, perhaps they would take on the task of getting the word out
about these networks who seem to be running sub par operations.
Often things like this are either related to ignorance of a problem
or lack of time. The first can be fixed with education, the latter
perhaps in pushing a point.
I would not argue with your wishful thinking, but that's not what we
should deal with here.
I really don't think it a case of wishful thinking to suggest that
moving the spec to 99/SPF as the primary request type over TXT. It
is the logical path where things will eventually go.
My point was that it should take place now in the SPF spec, because
it encourages the right behavior in implementations and guidance for
those who implement SPF. The folks who implement DNS were kind
enough to establish 99/SPF RRs for this very group, it might be nice
for the SPF standard to keep moving things forward by promoting their use.
Further, it might yet help and encourage those who are seemingly poor
administrators and who have not updated their DNS servers to upgrade
to a more secure version.
--Sandy
Best,
Alan
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com