Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Devel
an included "none" causes "unknown" abort
mengwong at dumbo
Feb 3, 2004, 10:34 AM
Post #1 of 3 (1363 views)
Permalink
On Tue, Feb 03, 2004 at 11:44:26AM +0100, Christophe Saout wrote:
| Am Di, den 03.02.2004 schrieb Paul Fisher um 06:12:
|
| > 2. Semantics of "include" mechanism are no longer clear
| >
| > Since the extra result values were added in 02.9.5, it's not clear how
| > "include" should behave. For example, Test #82 seems to indicate that
| > if a recursive query returns "none", then "include" should return
| > "unknown". Could text be added to Section 4.2 that covers all
| > possible recursive return values, much like the "include" section from
| > the November 02.7 RFC Draft (when softfail was last seen)?
|
| When the recursive lookup returns either ("none", "fail", "softfail" or
| "neutral") the include mechanism does not match. "pass" makes it return
| the prefix (+ -> "pass", - -> "fail", ~ -> "softfail", ? -> "neutral").
| Errors are directly returned.

The use case is:

vanity.domain.com TXT "v=spf1 include:myisp.com -all"
myisp.com TXT "v=spf1 a mx -all"

But then one day mysip.com's DNS gets messed up and the SPF record is
lost.

vanity.domain.com TXT "v=spf1 include:myisp.com -all"
myisp.com NXDOMAIN

So if myisp.com has no SPF record, do you want vanity.domain.com to
return FAIL or UNKNOWN?

If you want it to return FAIL, you treat "none" as no-match.

If you want it to return UNKNOWN, you treat "none" as an exception, UNKNOWN.

I think returning UNKNOWN is safer.

* * *

I have updated 4.2 in my working draft, 02.9.6, to say:

Example.net could say

"v=spf1 include:example.com include:example.org -all".

This mechanism matches when the new query result returns a pass, and
doesn't match when the result is fail. However, if the new query
returns none, unknown, or error, then processing of the entire SPF
query stops immediately and returns the unknown or error result.

pass => match, return the prefix value for "include"
fail => no match, continue processing
softfail => no match, continue processing
neutral => no match, continue processing
error => error, abort
unknown => unknown, abort
none => unknown, abort # see below

If the parent domain includes another domain, and that domain one day
loses its SPF record, it is better for the query to abort with
"unknown" than to continue on to a potential "-all".

If the text could be improved, please send me a patch :)

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@Ë`Ì{5¤¨wâÇSÓ°)h
Re: an included "none" causes "unknown" abort [ In reply to ]
christophe at saout
Feb 3, 2004, 10:53 AM
Post #2 of 3 (1315 views)
Permalink
Am Di, den 03.02.2004 schrieb Meng Weng Wong um 18:34:

> If you want it to return FAIL, you treat "none" as no-match.
>
> If you want it to return UNKNOWN, you treat "none" as an exception, UNKNOWN.
>
> I think returning UNKNOWN is safer.

Right. That's how I implemented it too, just forgot to mention it.


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@Ë`Ì{5¤¨wâÇSÓ°)h
Re: an included "none" causes "unknown" abort [ In reply to ]
philip-spf at gladstonefamily
Feb 3, 2004, 5:55 PM
Post #3 of 3 (1317 views)
Permalink
The way that M:S:Q is coded is that a missing SPF record (as required by
redirect or include) evaluates to 'unknown', and then the unknown
propagates.

The return value of 'none' is a special case for a missing SPF record
for the original sender domain.


Philip

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@Ë`Ì{5¤¨wâÇSÓ°)h

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal