Mailing List Archive

> im starting to write a new java spf libary. But now im stuck on a few
> qustions. I use the parser_text.txt to test my parser, but the problem
> is that i get some unexpected results. Here are my qustions:
>
>
> 1. First test:
>
> spftest spf "v=spf1 include:a.a"
> rec-in /.*/ SPF record in: v=spf1 include:a.a
> err-msg /.*/ no errors
> rec-out-auto /.*/
>
>
> Why this should give no error ? a.a seems not to be a valid domain for
> me.

because a.a can be dns error on another side of world and you need to evaluate rest. If this is
only one mechanizm then you can throw error but if there is "v=spf1 mx include:a.a" then you
need to evaluate mx.


> 2.
>
> spftest spf "v=spf1 a:/x32.com//12 +redirect=asdf.net"
> rec-in /.*/ SPF record in: v=spf1 a:/x32.com//12
> +redirect=asdf.net
> err-msg /.*/ no errors
> rec-out /.*/ SPF record: v=spf1 a:/x32.com//12
> redirect:asdf.net
>
>
> Why this give no error ? asdf.net has no TXT or SPF Records !

same, don't evaluate asdf.net, this is "none" but evaluate all other

> 3.
> spftest spf "v=spf1 mx:xx.a/23"
> rec-in /.*/ SPF record in: v=spf1 mx:xx.a/23
> err-msg /.*/ no errors
> rec-out-auto /.*/
>
>
> This eems aso not ok for me..
>
>
> Anyone can help ? Also just to get sure what todo if i found for
> example
> a invalid ip in the TXT record ? just ignore it and process the rest or
> gove a error as result ?

if there is invalid ip throw error but if there is invalid domain in include or redirect just
try to do your best. Maybe just your internet link have broken link to some other dns server ?
Weird stufs happen on internet, don't throw error because I have included domain of my isp and
they have usual admins, I can't every day check all dns from all side of world.



-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Am Dienstag, den 25.04.2006, 23:13 -0400 schrieb Dejan Petrovic:
> > im starting to write a new java spf libary. But now im stuck on a few
> > qustions. I use the parser_text.txt to test my parser, but the problem
> > is that i get some unexpected results. Here are my qustions:
> >
> >
> > 1. First test:
> >
> > spftest spf "v=spf1 include:a.a"
> > rec-in /.*/ SPF record in: v=spf1 include:a.a
> > err-msg /.*/ no errors
> > rec-out-auto /.*/
> >
> >
> > Why this should give no error ? a.a seems not to be a valid domain for
> > me.
>
> because a.a can be dns error on another side of world and you need to evaluate rest. If this is
> only one mechanizm then you can throw error but if there is "v=spf1 mx include:a.a" then you
> need to evaluate mx.
>
>
> > 2.
> >
> > spftest spf "v=spf1 a:/x32.com//12 +redirect=asdf.net"
> > rec-in /.*/ SPF record in: v=spf1 a:/x32.com//12
> > +redirect=asdf.net
> > err-msg /.*/ no errors
> > rec-out /.*/ SPF record: v=spf1 a:/x32.com//12
> > redirect:asdf.net
> >
> >
> > Why this give no error ? asdf.net has no TXT or SPF Records !
>
> same, don't evaluate asdf.net, this is "none" but evaluate all other
>
> > 3.
> > spftest spf "v=spf1 mx:xx.a/23"
> > rec-in /.*/ SPF record in: v=spf1 mx:xx.a/23
> > err-msg /.*/ no errors
> > rec-out-auto /.*/
> >
> >
> > This eems aso not ok for me..
> >
> >
> > Anyone can help ? Also just to get sure what todo if i found for
> > example
> > a invalid ip in the TXT record ? just ignore it and process the rest or
> > gove a error as result ?
>
> if there is invalid ip throw error but if there is invalid domain in include or redirect just
> try to do your best. Maybe just your internet link have broken link to some other dns server ?
> Weird stufs happen on internet, don't throw error because I have included domain of my isp and
> they have usual admins, I can't every day check all dns from all side of world.
>
>
Thx for your help. Is the spf testsuite 2.1 the right tool to test my
spf implementation ? OR there any better for this ? I just want to get
sure that it work like it should before make it public .

thx


>
> -------
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
> !EXCUBATOR:1,444ee66a37024251918470!

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Norman Maurer wrote:
> im starting to write a new java spf libary. But now im stuck on a few
> qustions. I use the parser_text.txt to test my parser, but the problem
> is that i get some unexpected results. Here are my qustions:

What are those "parser_text.txt" and "spf testsuite 2.1" you're talking
about? I've never heard of them.

> 1. First test:
>
> spftest spf "v=spf1 include:a.a"
> rec-in /.*/ SPF record in: v=spf1 include:a.a
> err-msg /.*/ no errors
> rec-out-auto /.*/
>
> Why this should give no error ? a.a seems not to be a valid domain for
> me.

Well, both draft-schlitt-spf-classic-02[1] and RFC 4408[2] -- the soon-to-
be final SPFv1 spec -- allow single-character TLDs. So you'll need to
search the domain "a.xy" for SPF records. Of course the TLD "a" doesn't
exist at the moment, but that might change in the future. Or it could
already exist in alternative DNS roots. SPF doesn't care that there are
no single-domain TLDs in the ICANN root _at_the_moment_.

> 2.
>
> spftest spf "v=spf1 a:/x32.com//12 +redirect=asdf.net"
> rec-in /.*/ SPF record in: v=spf1 a:/x32.com//12
> +redirect=asdf.net
> err-msg /.*/ no errors
> rec-out /.*/ SPF record: v=spf1 a:/x32.com//12
> redirect:asdf.net
>
> Why this give no error ? asdf.net has no TXT or SPF Records !

Why you're not getting an error for "+redirect=asdf.net" I don't know.
Your test suite should die on "+redirect" already, because "redirect" is a
modifier, not a mechanism, and must not be prefixed by a "+" (or other)
qualifier. "redirect=asdf.net" (without the "+") is syntactically valid,
however. Only when you evaluate that term should it cause an error
because "asdf.net" has no SPF record (and thus cannot be redirected to).

You have an even more significant error in the above record,
though: "a:/x32.com//12" is a syntax error. "/x32.com" is neither a
<domain-spec> nor a <ip4-cidr-length>.

> 3.
> spftest spf "v=spf1 mx:xx.a/23"
> rec-in /.*/ SPF record in: v=spf1 mx:xx.a/23
> err-msg /.*/ no errors
> rec-out-auto /.*/
>
> This seems also not ok for me..

This is not a syntax error, see question 1. The "a" TLD might become
registered in the future, so SPF implementations need to look it up.

> Also just to get sure what todo if i found for example a invalid ip in
> the TXT record ? just ignore it and process the rest or gove a error as
> result ?

Well, the spec says that IPv4 addresses must look like this:

ip4-network = qnum "." qnum "." qnum "." qnum
qnum = DIGIT ; 0-9
/ %x31-39 DIGIT ; 10-99
/ "1" 2DIGIT ; 100-199
/ "2" %x30-34 DIGIT ; 200-249
/ "25" %x30-35 ; 250-255

Anything else, e.g. "256.0.0.1", is invalid following an "ip4:" and should
cause a "PermError" (syntax error).

Also note that SPF has a strict syntax error policy: the entire record must
be checked for syntax errors before a result is returned. In "v=spf1 mx
ip4:666", even if the "mx" mechanism matches, "ip4:666" is still an error,
and the entire record must be considered erroneous and "PermError" be
returned!

References:
1. http://new.openspf.org/blobs/draft-schlitt-spf-classic-02.txt
2. http://ftp.rfc-editor.org/in-notes/authors/rfc4408.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFET3kpwL7PKlBZWjsRAmUSAKD7ySYoWChrq63u1Nu5rIiWa2kbLwCeKkbO
w8qxuqecEPLx2XhX8IqsytU=
=csug
-----END PGP SIGNATURE-----

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Am Mittwoch, den 26.04.2006, 13:44 +0000 schrieb Julian Mehnle:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Norman Maurer wrote:
> > im starting to write a new java spf libary. But now im stuck on a few
> > qustions. I use the parser_text.txt to test my parser, but the problem
> > is that i get some unexpected results. Here are my qustions:
>
> What are those "parser_text.txt" and "spf testsuite 2.1" you're talking
> about? I've never heard of them.

Its this: http://www.schlitt.net/spf/tests/index.html
From openspf.org website this are tests which should work with
SPF-Implementations
>
> > 1. First test:
> >
> > spftest spf "v=spf1 include:a.a"
> > rec-in /.*/ SPF record in: v=spf1 include:a.a
> > err-msg /.*/ no errors
> > rec-out-auto /.*/
> >
> > Why this should give no error ? a.a seems not to be a valid domain for
> > me.
>
> Well, both draft-schlitt-spf-classic-02[1] and RFC 4408[2] -- the soon-to-
> be final SPFv1 spec -- allow single-character TLDs. So you'll need to
> search the domain "a.xy" for SPF records. Of course the TLD "a" doesn't
> exist at the moment, but that might change in the future. Or it could
> already exist in alternative DNS roots. SPF doesn't care that there are
> no single-domain TLDs in the ICANN root _at_the_moment_.

So all about i should consider is that there is a "dot" in the
domainname or it is a valid ip ?

>
> > 2.
> >
> > spftest spf "v=spf1 a:/x32.com//12 +redirect=asdf.net"
> > rec-in /.*/ SPF record in: v=spf1 a:/x32.com//12
> > +redirect=asdf.net
> > err-msg /.*/ no errors
> > rec-out /.*/ SPF record: v=spf1 a:/x32.com//12
> > redirect:asdf.net
> >
> > Why this give no error ? asdf.net has no TXT or SPF Records !
>
> Why you're not getting an error for "+redirect=asdf.net" I don't know.
> Your test suite should die on "+redirect" already, because "redirect" is a
> modifier, not a mechanism, and must not be prefixed by a "+" (or other)
> qualifier. "redirect=asdf.net" (without the "+") is syntactically valid,
> however. Only when you evaluate that term should it cause an error
> because "asdf.net" has no SPF record (and thus cannot be redirected to).
>
> You have an even more significant error in the above record,
> though: "a:/x32.com//12" is a syntax error. "/x32.com" is neither a
> <domain-spec> nor a <ip4-cidr-length>.
that was what i thought too. just wonder cause the tests..

>
> > 3.
> > spftest spf "v=spf1 mx:xx.a/23"
> > rec-in /.*/ SPF record in: v=spf1 mx:xx.a/23
> > err-msg /.*/ no errors
> > rec-out-auto /.*/
> >
> > This seems also not ok for me..
>
> This is not a syntax error, see question 1. The "a" TLD might become
> registered in the future, so SPF implementations need to look it up.
>
got it .

> > Also just to get sure what todo if i found for example a invalid ip in
> > the TXT record ? just ignore it and process the rest or gove a error as
> > result ?
>
> Well, the spec says that IPv4 addresses must look like this:
>
> ip4-network = qnum "." qnum "." qnum "." qnum
> qnum = DIGIT ; 0-9
> / %x31-39 DIGIT ; 10-99
> / "1" 2DIGIT ; 100-199
> / "2" %x30-34 DIGIT ; 200-249
> / "25" %x30-35 ; 250-255
>
> Anything else, e.g. "256.0.0.1", is invalid following an "ip4:" and should
> cause a "PermError" (syntax error).
>
> Also note that SPF has a strict syntax error policy: the entire record must
> be checked for syntax errors before a result is returned. In "v=spf1 mx
> ip4:666", even if the "mx" mechanism matches, "ip4:666" is still an error,
> and the entire record must be considered erroneous and "PermError" be
> returned!

So every syntax error in SPF must cause a permerror ?

>
> References:
> 1. http://new.openspf.org/blobs/draft-schlitt-spf-classic-02.txt
> 2. http://ftp.rfc-editor.org/in-notes/authors/rfc4408.txt
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iD8DBQFET3kpwL7PKlBZWjsRAmUSAKD7ySYoWChrq63u1Nu5rIiWa2kbLwCeKkbO
> w8qxuqecEPLx2XhX8IqsytU=
> =csug
> -----END PGP SIGNATURE-----
>
> -------
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
> !EXCUBATOR:1,444f79f737022125937075!


Thx for the help

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Norman Maurer wrote:
> Julian Mehnle wrote:
> > What are those "parser_text.txt" and "spf testsuite 2.1" you're
> > talking about? I've never heard of them.
>
> Its this: http://www.schlitt.net/spf/tests/index.html
> From openspf.org website this are tests which should work with
> SPF-Implementations

Oh, that. Actually, this is the best test suite we currently have, but it
is not currently being maintained. (Personally, I have never looked at
that test suite in detail, so I didn't know about the "parser_text.txt"
thing.)

> > Well, both draft-schlitt-spf-classic-02[1] and RFC 4408[2] -- the
> > soon-to- be final SPFv1 spec -- allow single-character TLDs. So
> > you'll need to search the domain "a.xy" for SPF records. Of course
> > the TLD "a" doesn't exist at the moment, but that might change in the
> > future. Or it could already exist in alternative DNS roots. SPF
> > doesn't care that there are no single-domain TLDs in the ICANN root
> > _at_the_moment_.
>
> So all about i should consider is that there is a "dot" in the
> domainname or it is a valid ip ?

It's not _that_ simple. There are clearly defined grammar rules in the SPF
spec[1]. Note in particular that "a:<ip-address>" (e.g. "a:1.2.3.4") is
explicitly forbidden, because IP addresses don't have A (or AAAA) records.

> > Also note that SPF has a strict syntax error policy: the entire record
> > must be checked for syntax errors before a result is returned. In
> > "v=spf1 mx ip4:666", even if the "mx" mechanism matches, "ip4:666" is
> > still an error, and the entire record must be considered erroneous and
> > "PermError" be returned!
>
> So every syntax error in SPF must cause a permerror ?

That's what the spec says, see section 4.6, "Record Evaluation":

After one SPF record has been selected, the check_host() function
parses and interprets it to find a result for the current test. If
there are any syntax errors, check_host() returns immediately with
the result "PermError".

Implementations MAY choose to parse the entire record first and
return "PermError" if the record is not syntactically well formed.
However, in all cases, any syntax errors anywhere in the record MUST
be detected.

References:
1. http://new.openspf.org/blobs/draft-schlitt-spf-classic-02.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFET4rgwL7PKlBZWjsRAozGAKD6avcPS8n7tHeM3uCiT8mKJJ353gCgrhrH
oIs1dxF5Xt/xnfrjzoEMgKk=
=cyVK
-----END PGP SIGNATURE-----

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com