Mailing List Archive

InterPC.SPF and Test Suite
After many changes made, many bugs corrected and many code lines added, the
library finally pass all the Test Suite scenarios.



166 tests get the required result and 3 get a 'not preferred' result.



But in fact, I know that when using in a 'real' context (without requesting
a fake ZoneDatas DNS proxy) the 4 following tests will fail :



- a-colon-domain

- a-colon-domain-ip4mapped

- mx-colon-domain

- mx-colon-domain-ip4mapped



The reason is that those tests require dns query to be done with invalid
chars (foo:bar/baz.example.com).

Since InterPC.SPF is using Windows native api for Dns lookup, the win api
function returns DNS_ERROR_INVALID_NAME_CHAR Winerror because of the ':' and
'/' chars.

So in real dns lookup, this 4 tests would return PermError.



All changes will be released soon as InterPC.SPF 1.1.



I join the whole test results in XML readable format.












-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1007/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com
Re: InterPC.SPF and Test Suite [ In reply to ]
Eddy Minet wrote:

> the 4 following tests will fail :
> - a-colon-domain
> - a-colon-domain-ip4mapped
> - mx-colon-domain
> - mx-colon-domain-ip4mapped

Okay, all using e11.example.com:
| SPF: v=spf1 mx:foo:bar/baz.example.com

> Since InterPC.SPF is using Windows native api for
> Dns lookup, the win api function returns
> DNS_ERROR_INVALID_NAME_CHAR Winerror because of
> the ':' and '/' chars.

You could wrap it to get the required escaping if
that works: foo\:bar\/baz.example.com

In theory DNS can do any octet, down to "embedded"
dots or NULs. SPF directly only supports VCHAR
minus % (the test suite claims) plus space (with
the macro %_).

Checking the spec., no, the test suite comment is
wrong, SPF also supports % with the macro %%. That
is a missing test case, %% and %_ are supposed to
work (same ides as in e11.example).

> So in real dns lookup, this 4 tests would return
> PermError.

That might be not what you want, normally PermError
means "something with your policy needs to be fixed",
not "my DNS API does not support DNS"... ;-)

Admittedly an obscure case, why on earth do they use
these characters ? But drawing the line at arbitrary
places (any SPF implementation as it sees fit) would
be worse, e.g., at least "_" must work.

That stuff is also important for %[l}, the local part
macro, unless you decide that you don't support this
at all, period. Roughly SPF allows to treat local
parts as one or more dot separated domain labels.

And it got the "embedded dot" case wrong, or rather
the spec. is unclear what to do with "embedded dots":

Listed erratum, not yet in sync with the test suite,
http://www.openspf.org/RFC_4408/Errata#permerror-invalid-domains

This erratum is *apparently* also about your problem
with colon and slash, and states "whatever you do, it
is no TempError" (=> either 'no match' or PermError).

But actually this is only about *impossible* queries,
with an empty label as in "do..ts.example".

> I join the whole test results in XML readable format.

Thanks, do you just want it on public record, or should
it be copied to the Openspf site with a link from the
test suite page ?

Frank



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1007/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com
RE: Re: InterPC.SPF and Test Suite [ In reply to ]
Frank Ellermann wrote:



> You could wrap it to get the required escaping if

> that works: foo\:bar\/baz.example.com



Does not work. All this chars are considered as 'invalid': { | } ~ [ \ ] ^ '
: ; < = > ? @ ! " # $ % ^ ` ( ) + / , and * if not in first place.

('_' is valid)



> This erratum is *apparently* also about your problem

> with colon and slash, and states "whatever you do, it

> is no TempError" (=> either 'no match' or PermError).



It is actually PermError that is returned in this case. Would 'no match' be
better ?

So it would be like that :

- DNS RCODE 0 or 3 = no match

- invalid char error = no match

- other DNS errors = TempError



> > I join the whole test results in XML readable format.

> Thanks, do you just want it on public record, or should

> it be copied to the Openspf site with a link from the

> test suite page ?



The XML is only for spf-devel list. Do you think it should be published ?



Eddy




-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1007/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com
Re: InterPC.SPF and Test Suite [ In reply to ]
Eddy Minet wrote:

> All this chars are considered as 'invalid': { | } ~ [ \ ] ^ '
> : ; < = > ? @ ! " # $ % ^ ` ( ) + / , and * if not in first place.

Tough, this win API is stupid... :-( For my W2K box I found a
nice `dig.exe`, it comes with a libdns.dll, libbind9.dll, etc.,
so maybe you can use something in this direction.

> ('_' is valid)

That's probably the most important case. Normally we could
say "nobody uses weirder characters". But with local parts
in mail addresses for the %{l} macro you never know

> It is actually PermError that is returned in this case.
> Would 'no match' be better ?

Maybe. PermError typically means "your policy is broken",
and it also means "don't try that again before you fixed
it". With 'no match' you get whatever matches next, that
could be -all as well as +all among other possibilities.

Actually you should give up with a "not implemented" for
such cases, same idea as "NONE" or "NEUTRAL".

> The XML is only for spf-devel list.

Okay, folks will find it if they're curious, it's in the
various list archives. Just in case, did you by chance
translate the YAML to XML ? That is still on the "ToDo"
list for the test suite.

Frank



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1007/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com
RE: Re: InterPC.SPF and Test Suite [ In reply to ]
I had a look on dig executable and dll files.
It works great and returns NXDOMAIN for 'dig foo:bar/baz.example.com'.
Because the dlls are not .NET assembly nor COM enabled, it is only possible
to use it on 'command line mode' in .NET environment.
So it is not good because it would require dig.exe to be installed on the
machine.
The better fix would be to find or implement a 'non windows api' .NET or COM
library. The problem is that most .NET implementations are Windows dnsapi
wrappers.

So I will keep the behavior of 'no result' for the
'dns_error_invalid_name_char' special case.

If you wonder about that mystic behavior of windows api you can read more
here : http://msdn.microsoft.com/en-us/library/ms682032(VS.85).aspx

About XML, I didn't convert the yaml to xml. I code an 'on the fly' parser
that read the yaml file and build a .NET object containing scenarios, tests
and zone datas.
That means that if you already have think about a schema for the xml file it
would be easy for me to save back the object into XML datas.

Eddy.





-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1007/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com
Re: InterPC.SPF and Test Suite [ In reply to ]
Eddy Minet wrote:

> you can read more here :
> http://msdn.microsoft.com/en-us/library/ms682032(VS.85).aspx

Thanks. If I get this right you could simply *ignore* error
DNS_ERROR_INVALID_NAME_CHAR, because what you are testing is
no "DnsNameHostnameFull", but a "DnsNameDomain". And if all
else fails you could do your own validation.

The real thing is function "DnsQuery", and if that allows in
essence any octet you're done. But I fear that none of the
three variants (ANSI, Unicode, UTF-8) covers "any octet" :-(

> if you already have think about a schema for the xml file it
> would be easy for me to save back the object into XML datas.

Julian and Stuart are the maintainers of the SPF test suite,
maybe they chime in about that.

Frank



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1007/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com
RE: Re: InterPC.SPF and Test Suite [ In reply to ]
> The real thing is function "DnsQuery", and if that allows in
> essence any octet you're done. But I fear that none of the
> three variants (ANSI, Unicode, UTF-8) covers "any octet" :-(

Sure, DnsQuery is the only function I use. All call to DnsQuery seem to
check the DnsValidateName rules. It is why I send this link.
Use Unicode or UT8 version (_W, _UTF8) doesn't the trick.




-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1007/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com
Re: InterPC.SPF and Test Suite [ In reply to ]
Eddy Minet wrote:

> All call to DnsQuery seem to check the DnsValidateName rules.

Sorry, I did not get that. I found a page written by somebody
with the same SPF .net problem:

<http://www.codeproject.com/KB/library/DNS.NET_Resolver.aspx>

Frank



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1007/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com
RE: Re: InterPC.SPF and Test Suite [ In reply to ]
Frank wrote :

> Sorry, I did not get that. I found a page written by somebody
> with the same SPF .net problem:
> <http://www.codeproject.com/KB/library/DNS.NET_Resolver.aspx>

Yes I've seen that today. It seems there is an issue with SPF request (RR
99). I use nvidia.com to test SPF type RR.
The test app returns 'not-used' so I'm searching the code to find what's
going wrong ...

It's a good point that win api is not used here and all ascii chars are
accepted ...

To continue ...




-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1007/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com
Re: Re: InterPC.SPF and Test Suite [ In reply to ]
On Monday 30 June 2008 12:09, Eddy Minet wrote:
> Frank wrote :
> > Sorry, I did not get that. I found a page written by somebody
> > with the same SPF .net problem:
> > <http://www.codeproject.com/KB/library/DNS.NET_Resolver.aspx>
>
> Yes I've seen that today. It seems there is an issue with SPF request (RR
> 99). I use nvidia.com to test SPF type RR.
> The test app returns 'not-used' so I'm searching the code to find what's
> going wrong ...
>
> It's a good point that win api is not used here and all ascii chars are
> accepted ...
>
> To continue ...
>
If you want a domain that has SPF RR records:

$ dig SPF bmsi.com

; <<>> DiG 9.4.2 <<>> SPF bmsi.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61032
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2

;; QUESTION SECTION:
;bmsi.com. IN SPF

;; ANSWER SECTION:
bmsi.com. 86400 IN SPF "v=spf1 ip4:24.248.44.156 a
mx -all"

Note SPF supported natively in BIND now. ;-)

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1007/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com