Mailing List Archive

>-----Original Message-----
>From: owner-spf-devel@v2.listbox.com
>[mailto:owner-spf-devel@v2.listbox.com]On Behalf Of Peter Karsai
>Sent: Thursday, July 14, 2005 8:58 AM
>To: spf-devel@v2.listbox.com
>Subject: [spf-devel] No record - error or no match?
>
>
>Hello,
>
>I have faced with an interesting question while working on our SPF
>implementation.
>
>Take the SPF record "v=spf1 a mx ptr -all". The "a" mechanism has no
>argument, so the domain used will be the envelope sender domain (or
>the HELO domain), say "example.org". During the evaluation, it turns
>out that example.org does not have an A RR. Ooops.
>
>The question is: shall this result in a DNS error (1), in no-match (2,
>just like if the record data did not match with the checked IP) or
>should be ignored (3)?
>
>Obviously, a parameterless "a" without an A RR is stupid. Just another
>DNS lookup for nothing. However, when there is a macro parameter that
>extends using a session data-dependent macro like "c" (client IP) or
>"l" (sender local part), it may make sense.
>
>Our SPF implementation currently uses (1), i.e. we treat this as an
>error, but I have noticed that the SPF checker at
>http://www.dnsstuff.com/pages/spf.htm says PASS if mx/ptr matches, so
>it silently ignores the missing record (3).
>
>Unfortunately SPF Classic (that I am implementing) is not very clear
>on what is an error and what is not.
>
>Your comments are welcome.
>
>Best regards,
>
> Peter Karsai
>
Looking at:

http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html

I'd call it PermError.

http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html#anc
hor22

" When a mechanism is evaluated, one of three things can happen: it can
match, it can not match, or it can throw an exception."

This clearly has to throw an exception since there's nothing to try to match
to. So, the only question is what kind.

http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html#anc
hor12

"2.5.7. PermError

A "PermError" result means that the domain's published records couldn't be
correctly interpreted. This signals an error condition that requires manual
intervention to be resolved, as opposed to the TempError result."

If there's no A record, it definitely would require manual intervention.

My 2 cents.

Scott K

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Hi Scott,

Thanks for the response. Our implementation currently treat this as
PermError ("Error" per SPF-C draft-mengwong-spf-01.txt) for the same
reason. However, other SPF implementations seem to treat these kind of
errors differently, so I am confused a little. In fact, I have noticed
a several differences between our SPF library and libspf, but I was
unable to get these differences clarified.

Also, treating any DNS error as PermError raises a few questions. For
example, if during the evaluation of the "ptr" mechanism we find no
PTR for the IP, what should we do?

If we say it is an error, then we open the door for the forgery. All
the malicious sender has to do is to send from an IP without reverse
name and so they can bypass the SPF policy of the forged domain.

If we say it is a failed match (like we do now, as an exception), then
we can stop the above forgery, but we made an exception. Maybe "If no
validated hostname can be found, or if none of the validated hostnames
end in the <target-name>, this mechanism fails to match." refers to
this, but it is not so clear.

Peter

On 7/14/05, spf2@kitterman.com <spf2@kitterman.com> wrote:
> >-----Original Message-----
> >From: owner-spf-devel@v2.listbox.com
> >[mailto:owner-spf-devel@v2.listbox.com]On Behalf Of Peter Karsai
> >Sent: Thursday, July 14, 2005 8:58 AM
> >To: spf-devel@v2.listbox.com
> >Subject: [spf-devel] No record - error or no match?
> >
> >
> >Hello,
> >
> >I have faced with an interesting question while working on our SPF
> >implementation.
> >
> >Take the SPF record "v=spf1 a mx ptr -all". The "a" mechanism has no
> >argument, so the domain used will be the envelope sender domain (or
> >the HELO domain), say "example.org". During the evaluation, it turns
> >out that example.org does not have an A RR. Ooops.
> >
> >The question is: shall this result in a DNS error (1), in no-match (2,
> >just like if the record data did not match with the checked IP) or
> >should be ignored (3)?
> >
> >Obviously, a parameterless "a" without an A RR is stupid. Just another
> >DNS lookup for nothing. However, when there is a macro parameter that
> >extends using a session data-dependent macro like "c" (client IP) or
> >"l" (sender local part), it may make sense.
> >
> >Our SPF implementation currently uses (1), i.e. we treat this as an
> >error, but I have noticed that the SPF checker at
> >http://www.dnsstuff.com/pages/spf.htm says PASS if mx/ptr matches, so
> >it silently ignores the missing record (3).
> >
> >Unfortunately SPF Classic (that I am implementing) is not very clear
> >on what is an error and what is not.
> >
> >Your comments are welcome.
> >
> >Best regards,
> >
> > Peter Karsai
> >
> Looking at:
>
> http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html
>
> I'd call it PermError.
>
> http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html#anc
> hor22
>
> " When a mechanism is evaluated, one of three things can happen: it can
> match, it can not match, or it can throw an exception."
>
> This clearly has to throw an exception since there's nothing to try to match
> to. So, the only question is what kind.
>
> http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html#anc
> hor12
>
> "2.5.7. PermError
>
> A "PermError" result means that the domain's published records couldn't be
> correctly interpreted. This signals an error condition that requires manual
> intervention to be resolved, as opposed to the TempError result."
>
> If there's no A record, it definitely would require manual intervention.
>
> My 2 cents.
>
> Scott K
>
> -------
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
>

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

...... Original Message .......
On Fri, 15 Jul 2005 10:57:15 +0200 Peter Karsai <peter.karsai@gmail.com>
wrote:
>Hi Scott,
>
>Thanks for the response. Our implementation currently treat this as
>PermError ("Error" per SPF-C draft-mengwong-spf-01.txt) for the same
>reason. However, other SPF implementations seem to treat these kind of
>errors differently, so I am confused a little. In fact, I have noticed
>a several differences between our SPF library and libspf, but I was
>unable to get these differences clarified.
>
>Also, treating any DNS error as PermError raises a few questions. For
>example, if during the evaluation of the "ptr" mechanism we find no
>PTR for the IP, what should we do?
>
You do, of course, need to distinguish between temporary and permanent DNS
related errors.

>If we say it is an error, then we open the door for the forgery. All
>the malicious sender has to do is to send from an IP without reverse
>name and so they can bypass the SPF policy of the forged domain.
>
This is a matter of receiver policy. It is increasingly common to reject
all mail from an IP without reverse DNS, but that's nothing to do with SPF.

>If we say it is a failed match (like we do now, as an exception), then
>we can stop the above forgery, but we made an exception. Maybe "If no
>validated hostname can be found, or if none of the validated hostnames
>end in the <target-name>, this mechanism fails to match." refers to
>this, but it is not so clear.
>
As a matter of local receiver policy you can choose to reject on PermError.
Treating the mechanism as just no match is risky.

Scott K

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com