Mailing List Archive

Stuart D. Gathman wrote:

> v=spf1 a:foo...bar -all
[...]
> Since the result of DNS lookup is not success or NXDOMAIN, the
> RFC defined SPF results is TEMPERROR. However, this error is
> hardly temporary. Any controversy on what the SPF result of the
> above should be?

Temporary or not, the spec. says TempError. What do you get, is
that a FORMERR ? With nslookup "set debug" I don't see the actual
error number. Apparently it never sends a query, it doesn't know
how to create the query. I'm not sure what it is, but it might be
something for 4408bis, not for the 4408 errata. What does libspf2
if res_mkquery() fails ?

Frank (at least I now found the place where I can set nosrchlist
and nodefname ;-)


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

On Sun, 8 Oct 2006, Frank Ellermann wrote:

> Stuart D. Gathman wrote:
>
> > v=spf1 a:foo...bar -all
> [...]
> > Since the result of DNS lookup is not success or NXDOMAIN, the
> > RFC defined SPF results is TEMPERROR. However, this error is
> > hardly temporary. Any controversy on what the SPF result of the
> > above should be?
>
> Temporary or not, the spec. says TempError. What do you get, is
> that a FORMERR ? With nslookup "set debug" I don't see the actual
> error number. Apparently it never sends a query, it doesn't know
> how to create the query. I'm not sure what it is, but it might be
> something for 4408bis, not for the 4408 errata. What does libspf2
> if res_mkquery() fails ?

In a DNS request, there are 6 bits for each label length in a domain-name, and
length 0 terminates the domain. So it literally cannot send such a
request. So there can never be any RCODE from the server, and the
RFC simply doesn't address the issue. Except it *does* address the
issue for looking up SPF records (initial processing) - long and empty
labels result in pretending there was an NXDOMAIN. We did some
experimenting on #spf with various resolvers. Some return a DNS
error, some return NODATA or NXDOMAIN, pydns removes empty labels.

Julian is practically crying because he wants such things to be a
PermError (even when the result of macro expansion). However, such
things are clearly not PermError in the current RFC. I can get
a TempError, or simply emulate initial processing and don't match.

I agree that a domain-spec of literally foo...bar should be a PermError
in a perfect world since the policy is clearly foobar. But then you have
tricky cases when the domain-spec contains macros. What if the empty (or long)
label shows up after macro expansion?

I have added test cases for long and empty labels in domain-spec. Allowed
results are nomatch (fail in the test case) and temperror. I made nomatch
the preferred result, because it is analogous to initial processing.
However, Julian violently disagrees. He wanted to ignore empty labels
(like pydns already does) and truncate long labels - and then look it up.
I violently disagree with that. A PermError, if we are fixing the RFC.
Otherwise, with the current RFC, temperror - if you really want the sender to
know his policy is broken, or nomatch.

Do we want the preferred result for a:foo...bar in the test-suite to be
temperror or nomatch?

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Stuart D. Gathman wrote:

> the RFC simply doesn't address the issue. Except it
> *does* address the issue for looking up SPF records
> (initial processing) - long and empty labels result
> in pretending there was an NXDOMAIN.

At least a hint for a consistent solution.

> Julian is practically crying because he wants such
> things to be a PermError.

That's what we'd want before "AUTH48", PermError is
better than TempError in this situation. And the name
of the term is <domain-spec>, not <expanded-garbage>.
It's also explained in 4.8, the <target-name> is an
FQDN. But foo...bar isn't an FQDN.

We could claim that that's "obvious" (an "obvious" lie
after nobody saw it in more than two years), and that
adding one statement with "missing" MUSTard in 4.8 as
erratum is perfectly normal (actually it's not).

This "missing" MUSTard could also kill OEMCOMPUTER if
we insist on one dot _within_ FQDN. After all that's
the purpose of this 2821 rule, catch bare host names.

Managers of TLDs should know how to avoid that trap.

Another solution could be to start the 4408bis I-Ds
now, with strict compatibility for all normal policies,
not the oddities you find here.

And we finally have some "lessons learned" to offer,
creating a test suite is an excellent way to debug
specifications. Not only to debug implementations.

> However, such things are clearly not PermError in
> the current RFC.

Above you said "simply doesn't address", that's not
a clear TempError, that's more like unspecified. It
is not a "match". That leaves no match, TempError,
and PermError.

For a literal foo...bar in the policy a PermError is
in the spirit of other cases of broken policies. For
HELO foo...bar arriving in a:%[h} the policy is okay,
only the HELO is bogus, that's more like "no match".

We don't have this subtlety outside of 4.3, where it
only catches the domain of the checked identity, not
the other domain.

> What if the empty (or long) label shows up after
> macro expansion?

Yes, then it's no error in the policy. Reporting a
PermError could be misleading. Maybe not much, but
it would need new prose in the PermError chapter.

> I made nomatch the preferred result, because it is
> analogous to initial processing.

That avoids the worst issue, who's responsible, the
sender or the policy author. Without macro that's
clear, the author screwed up. With macro it can be
hard to determine.

> Do we want the preferred result for a:foo...bar in
> the test-suite to be temperror or nomatch?

You said that depending on the API some get RCODE x
(neither 0 nor 3), for that the spec. says TempError.

That this API probably lies (like my nslookup) and
never sent an impossible query doesn't change that.

You said others get a local res_mkquery error. For
that it's "simply doesn't address the issue", and
"no match" is also okay. For the literal foo...bar
a PermError is also plausible / desirable.

You could test that implementations can't "match"
for this case, and allow all other outcomes (?)

You could argue that you want the same result for
a:foo...bar and a:%{h} with HELO foo...bar, and an
a:{%h} is no PermError. The least harmful result
is apparently "no match" (?)

Frank


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

On Sun, 8 Oct 2006, Frank Ellermann wrote:

> You said that depending on the API some get RCODE x
> (neither 0 nor 3), for that the spec. says TempError.

Actually, there is never any RCODE of any description.
Long and empty label simply can't be represented in a
DNS request packet. There is a 6-bit length, and a 0
length terminates the domain. The resolvers vary
in how they handle the error. Some return error codes,
others throw exceptions, one removes empty labels, etc.
The RFC addresses RCODES, but not local errors.

> You could argue that you want the same result for
> a:foo...bar and a:%{h} with HELO foo...bar, and an
> a:{%h} is no PermError. The least harmful result
> is apparently "no match" (?)

I agree.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stuart D. Gathman wrote:
> On Sun, 8 Oct 2006, Frank Ellermann wrote:
> > Stuart D. Gathman wrote:
> > > v=spf1 a:foo...bar -all
> > > [...]
> >
> > Temporary or not, the spec. says TempError.

No doubt. But then perhaps the spec is wrong?

> In a DNS request, there are 6 bits for each label length in a
> domain-name, and length 0 terminates the domain. So it literally cannot
> send such a request. So there can never be any RCODE from the server,
> and the RFC simply doesn't address the issue.

Exactly.

> Julian is practically crying because he wants such things to be a
> PermError (even when the result of macro expansion). However, such
> things are clearly not PermError in the current RFC. I can get
> a TempError, or simply emulate initial processing and don't match.
>
> I agree that a domain-spec of literally foo...bar should be a PermError
> in a perfect world since the policy is clearly foobar. But then you
> have tricky cases when the domain-spec contains macros. What if the
> empty (or long) label shows up after macro expansion?

In a perfect world, PermError. Or, as I said in ony of my previous
messages, an "InputError" sub-code of PermError.

> I have added test cases for long and empty labels in domain-spec.
> Allowed results are nomatch (fail in the test case) and temperror. I
> made nomatch the preferred result, because it is analogous to initial
> processing. However, Julian violently disagrees. He wanted to ignore
> empty labels (like pydns already does) and truncate long labels - and
> then look it up.

No way! You are clearly mistaken -- I never said I wanted that. You even
write above (correctly) that I desperately want these situations to be a
PermError.

> I violently disagree with that.

Me, too!

> A PermError, if we are fixing the RFC.

I'm 100% with you.

> Otherwise, with the current RFC, temperror - if you really want the
> sender to know his policy is broken, or nomatch.

Sadly, even nomatch would make more sense than TempError as a temporary
stop-gap interpretation of the broken spec. However, personally, I'd even
go so far as deliberately violating the spec and throwing a PermError none
the less.

> Do we want the preferred result for a:foo...bar in the test-suite to be
> temperror or nomatch?

Does it actually matter what the "preferred" result in the test suite is?


Frank Ellermann wrote:
> [A ...] solution could be to start the 4408bis I-Ds now, with strict
> compatibility for all normal policies, not the oddities you find here.

I could see us doing that. But we still might be better off leaving SPFv1
rest and starting an entirely other revision where we can fix more bugs,
even the conceptual ones, which we can't with SPFv1.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFW1V+wL7PKlBZWjsRAqZXAJ9FO20i4VEuMHcMSQVS2diRLC1PeACgpHcH
yxN/iOT7hHeBYGLFZlrx5rQ=
=yiOn
-----END PGP SIGNATURE-----

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1007

On Wed, 15 Nov 2006, Julian Mehnle wrote:

> > Do we want the preferred result for a:foo...bar in the test-suite to be
> > temperror or nomatch?
>
> Does it actually matter what the "preferred" result in the test suite is?

The test driver should print "WARNING" or some such when the result is
acceptable, but not the preferred result. (As does testspf.py)

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1007